On Wed, Nov 12, 2008 at 3:02 PM, Robert O'Callahan <[EMAIL PROTECTED]> wrote: > On Wed, Nov 12, 2008 at 4:22 PM, Tim Starling <[EMAIL PROTECTED]> > wrote: >> >> JavaScript already has measures along the lines of (2), in the context >> of frames. The information a script can obtain about a frame from a >> different origin is carefully restricted. I think that a similar >> solution would be best. It has the advantage of consistency and proven >> security. > > > I would say it has a history of proven *insecurity*. Look at clickjacking > for example. > > Anyway, having discussed this with Hixie and Maciej and others a bit on > #whatwg, things seem to be leaning towards option 2.
While my gut feeling tells me that this is the right solution - would you mind sharing some of the reasoning as discussed on irc? Thanks, Silvia.
