I am not sure I have understood Robert correctly but it seems obvious to me that if a site does not want to reveal its origin it cannot apply for a tighter cooperation; it will just be treated as any other site in the wild. And it is better not to rely on the user agent to do the right thing if possible.
Chris _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert O'Callahan Sent: Monday, September 29, 2008 11:33 AM To: Hallvord R M Steen Cc: [email protected]; Michal Zalewski; Smylers Subject: Re: [whatwg] Dealing with UI redress vulnerabilities inherent tothe current web That's good to have and we should definitely do it, but there are a couple of reasons "Same-Origin-Only-Unless- Access-Controls-Says-Otherwise" would be useful as well: -- a bit simpler to implement on the server -- for privacy reasons some UAs in some situations might not want to expose the origin to the IFRAME's server; allowing the origin check to happen on the client would handle that
