Am 18.01.2013 14:40 schrieb Anne van Kesteren:
On Tue, Jan 15, 2013 at 2:44 PM, Markus Ernst <derer...@gmx.ch> wrote:
The allow-seamless mechanism is to be triggered at the side of the embedded
resource, which would also be the one affected by possible security risks
(if I get this right). The developer of this resource will have to be aware
of these risks, and avoid to expose critical stuff in pages that allow
seamless embedding.
So, would it be possible to generally treat resources that allow seamless
embedding as same-origin from the security POV?
No. And "AllowSameOrigin" would not work either. Because of scripting
one resource granting such access means exposing the entire origin to
attacks.
I did not mean to merge origins, but to completely detach the included
resource from its origin, and allocate it to the origin of the including
document:
- Document from A domain-A.com includes resource B from domain-B.com
- Resource B has set AllowSameOrigin="domain-A.com"
-> Document A and resource B can access each other as same-origin
- Now Resource B tries to access resource C from domain-B.com
- Resource C does not have AllowSameOrigin specified for domain-A.com
-> Resource B cannot access resource C, as it would violate the
same-origin policy. Resource B is treated as of origin domain-A.com.
I don't know whether this is possible, but I think if yes, it would be
an elegant solution to this topic.
