On Tue, Jul 16, 2013 at 4:14 PM, Ian Hickson wrote:
> On Wed, 17 Jul 2013, Tobie Langel wrote:
>> On Wednesday, July 17, 2013 at 12:42 AM, Ian Hickson wrote:
>> > On Wed, 17 Jul 2013, Tobie Langel wrote:
>> > > On Tuesday, July 16, 2013 at 7:53 PM, Ian Hickson wrote:
>> > > > Can't you do window.i
On Wednesday, July 17, 2013 at 12:42 AM, Ian Hickson wrote:
> On Wed, 17 Jul 2013, Tobie Langel wrote:
> > On Tuesday, July 16, 2013 at 7:53 PM, Ian Hickson wrote:
> > > Can't you do window.isSameOrigin by just trying to access
> > > window.location.href and seeing if you get an exception?
> >
>
On Wed, 17 Jul 2013, Tobie Langel wrote:
> On Wednesday, July 17, 2013 at 12:42 AM, Ian Hickson wrote:
> > On Wed, 17 Jul 2013, Tobie Langel wrote:
> > > On Tuesday, July 16, 2013 at 7:53 PM, Ian Hickson wrote:
> > > > Can't you do window.isSameOrigin by just trying to access
> > > > window.locati
On Wed, 17 Jul 2013, Tobie Langel wrote:
> On Tuesday, July 16, 2013 at 7:53 PM, Ian Hickson wrote:
> > Can't you do window.isSameOrigin by just trying to access
> > window.location.href and seeing if you get an exception?
>
> Unfortunately not, because of the previously mentioned WebKit bug whic
On Tuesday, July 16, 2013 at 7:53 PM, Ian Hickson wrote:
> Can't you do window.isSameOrigin by just trying to access
> window.location.href and seeing if you get an exception?
Unfortunately not, because of the previously mentioned WebKit bug which logs an
error message but doesn't throw (so ther
On Tue, 20 Nov 2012, Tobie Langel wrote:
> On Tue, Nov 20, 2012 at 6:47 AM, Ian Hickson wrote:
> > On Mon, 26 Mar 2012, Adam Barth wrote:
> >>
> >> For nested browsing contexts, expose the origin of the parent
> >> browsing context via location.parentOrigin. (For non-nested browsing
> >> contex
On Tue, Nov 20, 2012 at 6:47 AM, Ian Hickson wrote:
> On Mon, 26 Mar 2012, Adam Barth wrote:
>>
>> For nested browsing contexts, expose the origin of the parent browsing
>> context via location.parentOrigin. (For non-nested browsing context,
>> the property would null.)
>
> This ended up implemen
On Mon, 26 Mar 2012, Adam Barth wrote:
>
> For nested browsing contexts, expose the origin of the parent browsing
> context via location.parentOrigin. (For non-nested browsing context,
> the property would null.)
This ended up implemented in WebKit as Location.ancestorOrigins(), a
method that
My sense is that's an acceptable risk given that this information commonly
leaks in document.referrer anyway. Using sandbox sounds like a worthwhile
backstop though.
Adam
> Tab suggests (on IRC) that this should just be tied to sandbox="", which
> seems reasonable at first blush.
Sandbox is opt-in (which means we'd start revealing origins in
existing settings without a warning); and has other serious
constraints which preclude it from some existing use cases (e.g.,
On Wed, 4 Apr 2012, Michal Zalewski wrote:
>
> In fact, in the vein of opt-in disclosure perhaps something like
> discloselocation={none|origin|full} would be more convenient - in which
> case, you get something like
> window.parentLocations[n].{origin|href|hash|...}
>
> I constantly fear that
In fact, in the vein of opt-in disclosure perhaps something like
discloselocation={none|origin|full} would be more convenient - in
which case, you get something like
window.parentLocations[n].{origin|href|hash|...}
I constantly fear that origin scoping for security mechanisms is too
coarse-grained
I can think of some fringe scenarios where disclosing parent origins
may be somewhat undesirable. One example may be a "double-bagged"
advertisement, where the intent is to not tell the advertiser about
the top-level page the ad is embedded on (visited site ->
pointing to the ad provider site ->
On Wed, Apr 4, 2012 at 11:20 AM, Adam Barth wrote:
> On Wed, Apr 4, 2012 at 11:06 AM, Ian Hickson wrote:
>> On Tue, 3 Apr 2012, Adam Barth wrote:
>>> On Tue, Apr 3, 2012 at 6:54 PM, Ian Hickson wrote:
>>> > On Tue, 3 Apr 2012, Adam Barth wrote:
>>> >> On Tue, Apr 3, 2012 at 4:32 PM, Ian Hickson
On Wed, Apr 4, 2012 at 11:20 AM, Adam Barth wrote:
> On Wed, Apr 4, 2012 at 11:06 AM, Ian Hickson wrote:
>> On Tue, 3 Apr 2012, Adam Barth wrote:
>>> On Tue, Apr 3, 2012 at 6:54 PM, Ian Hickson wrote:
>>> > On Tue, 3 Apr 2012, Adam Barth wrote:
>>> >> On Tue, Apr 3, 2012 at 4:32 PM, Ian Hickson
On Wed, Apr 4, 2012 at 11:06 AM, Ian Hickson wrote:
> On Tue, 3 Apr 2012, Adam Barth wrote:
>> On Tue, Apr 3, 2012 at 6:54 PM, Ian Hickson wrote:
>> > On Tue, 3 Apr 2012, Adam Barth wrote:
>> >> On Tue, Apr 3, 2012 at 4:32 PM, Ian Hickson wrote:
>> >> > On Tue, 3 Apr 2012, Adam Barth wrote:
>> >
On Tue, 3 Apr 2012, Adam Barth wrote:
> On Tue, Apr 3, 2012 at 6:54 PM, Ian Hickson wrote:
> > On Tue, 3 Apr 2012, Adam Barth wrote:
> >> On Tue, Apr 3, 2012 at 4:32 PM, Ian Hickson wrote:
> >> > On Tue, 3 Apr 2012, Adam Barth wrote:
> >> >> Talking with some folks off-list, there are also use ca
On Tue, Apr 3, 2012 at 6:54 PM, Ian Hickson wrote:
> On Tue, 3 Apr 2012, Adam Barth wrote:
>> On Tue, Apr 3, 2012 at 4:32 PM, Ian Hickson wrote:
>> > On Tue, 3 Apr 2012, Adam Barth wrote:
>> >> Talking with some folks off-list, there are also use cases for knowing
>> >> the origin of the top-most
On Tue, 3 Apr 2012, Adam Barth wrote:
> On Tue, Apr 3, 2012 at 4:32 PM, Ian Hickson wrote:
> > On Tue, 3 Apr 2012, Adam Barth wrote:
> >> Talking with some folks off-list, there are also use cases for knowing
> >> the origin of the top-most document.
> >
> > Could you elaborate on those use cases?
On Tue, Apr 3, 2012 at 4:32 PM, Ian Hickson wrote:
> On Tue, 3 Apr 2012, Adam Barth wrote:
>> Talking with some folks off-list, there are also use cases for knowing
>> the origin of the top-most document.
>
> Could you elaborate on those use cases? (And also those for parent.origin,
> though those
On Tue, 3 Apr 2012, Adam Barth wrote:
>
> Talking with some folks off-list, there are also use cases for knowing
> the origin of the top-most document.
Could you elaborate on those use cases? (And also those for parent.origin,
though those seem more obvious, e.g. disabling features to protect ag
Talking with some folks off-list, there are also use cases for knowing
the origin of the top-most document. Rather than introduce topOrigin,
we might be better off with alternative (1) below, making
location.origin visible to descendant frames.
Adam
On Mon, Mar 26, 2012 at 5:09 PM, Adam Barth
== Proposal ==
For nested browsing contexts, expose the origin of the parent browsing
context via location.parentOrigin. (For non-nested browsing context,
the property would null.)
== Use Case ==
Some widgets want to behave differently depending on the context in
which they are embedded. For e
23 matches
Mail list logo
