On 2/25/13 3:00 PM, Adam Barth wrote:
Yes, that's to defend against a different sort of attack. In some
browsers, like Firefox, data URLs inherit the security context of
their authors.
This is not the case for data: URLs that are the target of a redirect,
for what it's worth. At least in Fir
On Mon, Feb 25, 2013 at 1:49 AM, Anne van Kesteren wrote:
> On Mon, Feb 25, 2013 at 4:30 AM, Adam Barth wrote:
>> I don't think there is a security problem with that. It's just a
>> question of how much it complicates the model.
>
> Well currently for http://software.hixie.ch/utilities/cgi/data/
Le 25/02/2013 19:10, Ian Hickson a écrit :
On Mon, 25 Feb 2013, David Bruant wrote:
As a more general question: does iframe@sandbox="allow-same-origin" make a
page and a cross-origin iframe further connected than they are currently
without the keyword?
The only difference is that without the ke
On Mon, 25 Feb 2013, David Bruant wrote:
>
> The current description of the allow-same-origin sandbox token in the
> spec is: " The allow-same-origin keyword allows the content to be
> treated as being from the same origin instead of forcing it into a
> unique origin;"
>
> This is a very scary
Hi,
>From what I understand, it goes like this:
Using the sandboxing flag on an iframe causes several fine-grained
flags to be set (point 3 of the algorithm). One of the flags -
"sandboxed origin browsing context flag"[1] forces the document into
unique origin and blocks access to document.cookie a
On Mon, Feb 25, 2013 at 4:30 AM, Adam Barth wrote:
> I don't think there is a security problem with that. It's just a
> question of how much it complicates the model.
Well currently for http://software.hixie.ch/utilities/cgi/data/data
Chrome generates a network error if you hit "Generate" with t
Hi,
The current description of the allow-same-origin sandbox token in the
spec is:
" The allow-same-origin keyword allows the content to be treated as
being from the same origin instead of forcing it into a unique origin;"
This is a very scary wording. Understood naively, I understand I could