On Tue, Aug 2, 2011 at 7:15 AM, Dennis Joachimsthaler wrote:
> Am 02.08.2011, 13:12 Uhr, schrieb Anne van Kesteren
>
>> If users cannot trust their userscripts and addons (provided they can do
>> unsafe things) they have lost already.
>>
>>
> True. We do not make standards solely to protect inexp
Am 02.08.2011, 13:12 Uhr, schrieb Anne van Kesteren
If users cannot trust their userscripts and addons (provided they can do
unsafe things) they have lost already.
True. We do not make standards solely to protect inexperienced users.
Thank you for your insight on this matter, though.
On Tue, 02 Aug 2011 13:05:07 +0200, Dennis Joachimsthaler
wrote:
It is not possible anyway? That kind of renders my worries baseless.
Right.
But this use case still holds: Userscripts and addons could still read
out everything from the sites.
It might be way too much a niche case though.
Am 02.08.2011, 13:00 Uhr, schrieb Anne van Kesteren :
On Tue, 02 Aug 2011 12:48:06 +0200, Dennis Joachimsthaler
wrote:
Say, there's a site which uses an autologin facility to automatically
log their users in when the site is opened.
Malicious guy #1 prepares a site that loads the same site i
On Tue, 02 Aug 2011 12:48:06 +0200, Dennis Joachimsthaler
wrote:
I agree that just disallowing that the page gets shown is one solution
but I am mainly concerned about reading important information out of
an iframe site.
Say, there's a site which uses an autologin facility to automatically
log
Am 02.08.2011, 12:38 Uhr, schrieb Anne van Kesteren :
On Tue, 02 Aug 2011 12:33:18 +0200, Dennis Joachimsthaler
wrote:
I took a look at the X-Frame-Options and it only disallows displaying
in a frame, not forbidding only script access.
What kind of script access is allowed cross-origin that
On Tue, 02 Aug 2011 12:33:18 +0200, Dennis Joachimsthaler
wrote:
I took a look at the X-Frame-Options and it only disallows displaying
in a frame, not forbidding only script access.
What kind of script access is allowed cross-origin that you are concerned
about?
--
Anne van Kesteren
http
Hello Anne,
I took a look at the X-Frame-Options and it only disallows displaying
in a frame, not forbidding only script access.
Also this is another case of a HTTP header that would also find a good
place in the HTML itself, like with the Content-Disposition attribute
I suggested (and now got s
On Tue, 02 Aug 2011 12:21:31 +0200, Dennis Joachimsthaler
wrote:
[...]
The X-Frame-Options header addresses this if I understand the concern
correctly.
--
Anne van Kesteren
http://annevankesteren.nl/
I think this needs a better thread title... Feel free to change it.
I've been having this idea. Usually when you insert an , for
example
you can easily manipulate it's DOM structure.
There is no way to prevent this, or? The top document can even just sandbox
the iframe and allow scripts, but
10 matches
Mail list logo
