[whatwg] AllowSeamless feedback

Markus Ernst derernst at gmx.ch
Fri Jan 18 05:23:27 PST 2013


Am 15.01.2013 00:39 schrieb Nasko Oskov:
> Hi whatwg,
> I recently became aware of the proposal to add AllowSeamless attribute that
> will permit cross-origin seamless iframes (
> http://wiki.whatwg.org/wiki/AllowSeamless). We are currently working on a
> new security policy in Chrome, which will separate each site into its own
> renderer process. More information can be found at
> http://www.chromium.org/developers/design-documents/site-isolation.

Re-reading this Chromium document, I had the idea that AllowSeamless may 
be a special case of something which should rather be like 
"AllowSameOrigin"?

A document that allows to be treated as same-origin by the including 
document would then be removed from the "siteInstance" (or security 
context) of its own origin, and added to the one of the including document.

I think that per-origin control would be necessary in this case, so it 
would look somehow like:
<meta name="allow-same-origin" content="foo.net, bar.com">
Or:
<html allow-same-origin="foo.net, bar.com">
<html allow-same-origin="all">

I see the following advantages compared to an AllowSeamless solution:
- New spec is only needed for the mechanism itself. All issues that 
derive from the mechanism are already covered by the same-origin policy.
- Authors who decide to use AllowSameOrigin in a resource are more 
likely to be aware of security risks than they were about an 
AllowSeamless solution (which actually sounds like something purely 
design-related)

(Excuse me in case this is a silly idea - I am a web author with zero 
knowledge on browser implementation.)



More information about the whatwg mailing list