[whatwg] AllowSeamless feedback
Anne van Kesteren
annevk at annevk.nl
Fri Jan 18 05:40:17 PST 2013
On Tue, Jan 15, 2013 at 2:44 PM, Markus Ernst <derernst at gmx.ch> wrote:
> The allow-seamless mechanism is to be triggered at the side of the embedded
> resource, which would also be the one affected by possible security risks
> (if I get this right). The developer of this resource will have to be aware
> of these risks, and avoid to expose critical stuff in pages that allow
> seamless embedding.
>
> So, would it be possible to generally treat resources that allow seamless
> embedding as same-origin from the security POV?
No. And "AllowSameOrigin" would not work either. Because of scripting
one resource granting such access means exposing the entire origin to
attacks.
--
http://annevankesteren.nl/
More information about the whatwg
mailing list