[whatwg] Proposal: location.parentOrigin

Michal Zalewski lcamtuf at coredump.cx
Wed Apr 4 22:25:11 PDT 2012

In fact, in the vein of opt-in disclosure perhaps something like
discloselocation={none|origin|full} would be more convenient - in
which case, you get something like

I constantly fear that origin scoping for security mechanisms is too
coarse-grained in many use cases, because the complexity of what lives
in any single origin is growing pretty rapidly. Sites put
attacker-controlled content inside framed gadgets or advertisements,
and can't be reasonably expected to understand that if such a frame is
navigated to in a particular way, it may circumvent an origin-scoped


More information about the whatwg mailing list