[whatwg] keepalive attribute on iframe

Ryosuke Niwa rniwa at webkit.org
Tue Apr 17 20:58:02 PDT 2012


On Tue, Apr 17, 2012 at 8:35 PM, Dmitry Titov <dimich at chromium.org> wrote:

> Would some sort of a same-origin policy help here? If both the iframe and
> parent document are same origin, can it be done, at least for the
> reparenting in the same JS execution block? Most (all?) of the security
> issues were specifically cross-origin.
>

If I remember correctly, some of bugs we've had weren't about cross-origin
iframes. It was about not being able to infer the correct origin in a
detached iframe. So yes, they were cross-origin bugs because we ended up
executing scripts we shouldn't be executing but that's not because iframes
were cross-origin to begin with.

But yes, there are a lot of assumptions in the code about not only iframes,
> but most active objects to function only while they are connected all the
> way through to the valid DOM. There is too many APIs (and new ones are
> coming all the time) who pick up that assumption. It is not impossible,
> just a lot of work.
>

I would go as far as to say it's practically impossible.

- Ryosuke



More information about the whatwg mailing list