[whatwg] crossorigin property on iframe
Boris Zbarsky
bzbarsky at MIT.EDU
Thu Apr 12 13:04:40 PDT 2012
On 4/12/12 3:30 PM, Ojan Vafai wrote:
> We should add a crossorigin property on iframe that causes the request to
> use CORS.
Which request? Just the @src load? Or navigation of the frame via its
Location object too?
> If it's an allowed cross-domain request, then the page should
> have access to the DOM of the frame.
Which page? Just the page that embedded the frame? Or any page? This
should presumably be an asymmetric access check, in that the subframe
should not be able to access the parent frame DOM?
If this is done, it sounds like the code in the parent frame would have
to be _very_ careful to avoid being attacked by the subframe. We
(Mozilla) have a fair amount of experience in this sort of setup: we
have a parent frame (the browser UI) that can touch cross-origin
subframes (web pages) with asymmetric security checks. We've discovered
over the years that unless the access is very carefully mediated in
various ways it becomes trivial for the subframe to run script with the
permissions of the embedding frame.
While it's possible, obviously, to spec out the exact mediation needed,
I just want us to realize that this is NOT a small project that will
require a line or two of spec text to get right.
-Boris
More information about the whatwg
mailing list