[whatwg] Proposal: location.parentOrigin

Michal Zalewski lcamtuf at coredump.cx
Wed Apr 4 22:15:27 PDT 2012


I can think of some fringe scenarios where disclosing parent origins
may be somewhat undesirable. One example may be a "double-bagged"
advertisement, where the intent is to not tell the advertiser about
the top-level page the ad is embedded on (visited site -> <iframe>
pointing to the ad provider site -> <iframe> with embedded advertiser
content).

Not sure if there's anything more convincing, but perhaps it's
desirable to obtain constent from parents before populating the array
(e.g. <iframe discloseorigin=yes>). If a member of the chain doesn't
consent, the corresponding element of the array is null / undefined /
an empty string?

/mz



More information about the whatwg mailing list