[whatwg] AllowSeamless feedback
Markus Ernst
derernst at gmx.ch
Fri Jan 18 08:07:31 PST 2013
Am 18.01.2013 14:40 schrieb Anne van Kesteren:
> On Tue, Jan 15, 2013 at 2:44 PM, Markus Ernst <derernst at gmx.ch> wrote:
>> The allow-seamless mechanism is to be triggered at the side of the embedded
>> resource, which would also be the one affected by possible security risks
>> (if I get this right). The developer of this resource will have to be aware
>> of these risks, and avoid to expose critical stuff in pages that allow
>> seamless embedding.
>>
>> So, would it be possible to generally treat resources that allow seamless
>> embedding as same-origin from the security POV?
>
> No. And "AllowSameOrigin" would not work either. Because of scripting
> one resource granting such access means exposing the entire origin to
> attacks.
>
>
I did not mean to merge origins, but to completely detach the included
resource from its origin, and allocate it to the origin of the including
document:
- Document from A domain-A.com includes resource B from domain-B.com
- Resource B has set AllowSameOrigin="domain-A.com"
-> Document A and resource B can access each other as same-origin
- Now Resource B tries to access resource C from domain-B.com
- Resource C does not have AllowSameOrigin specified for domain-A.com
-> Resource B cannot access resource C, as it would violate the
same-origin policy. Resource B is treated as of origin domain-A.com.
I don't know whether this is possible, but I think if yes, it would be
an elegant solution to this topic.
More information about the whatwg
mailing list