[whatwg] AllowSeamless feedback
Markus Ernst
derernst at gmx.ch
Fri Jan 18 05:23:27 PST 2013
Am 15.01.2013 00:39 schrieb Nasko Oskov:
> Hi whatwg,
> I recently became aware of the proposal to add AllowSeamless attribute that
> will permit cross-origin seamless iframes (
> http://wiki.whatwg.org/wiki/AllowSeamless). We are currently working on a
> new security policy in Chrome, which will separate each site into its own
> renderer process. More information can be found at
> http://www.chromium.org/developers/design-documents/site-isolation.
Re-reading this Chromium document, I had the idea that AllowSeamless may
be a special case of something which should rather be like
"AllowSameOrigin"?
A document that allows to be treated as same-origin by the including
document would then be removed from the "siteInstance" (or security
context) of its own origin, and added to the one of the including document.
I think that per-origin control would be necessary in this case, so it
would look somehow like:
<meta name="allow-same-origin" content="foo.net, bar.com">
Or:
<html allow-same-origin="foo.net, bar.com">
<html allow-same-origin="all">
I see the following advantages compared to an AllowSeamless solution:
- New spec is only needed for the mechanism itself. All issues that
derive from the mechanism are already covered by the same-origin policy.
- Authors who decide to use AllowSameOrigin in a resource are more
likely to be aware of security risks than they were about an
AllowSeamless solution (which actually sounds like something purely
design-related)
(Excuse me in case this is a silly idea - I am a web author with zero
knowledge on browser implementation.)
More information about the whatwg
mailing list