On 4/12/12 3:30 PM, Ojan Vafai wrote:
We should add a crossorigin property on iframe that causes the request to use CORS.
Which request? Just the @src load? Or navigation of the frame via its Location object too?
If it's an allowed cross-domain request, then the page should have access to the DOM of the frame.
Which page? Just the page that embedded the frame? Or any page? This should presumably be an asymmetric access check, in that the subframe should not be able to access the parent frame DOM?
If this is done, it sounds like the code in the parent frame would have to be _very_ careful to avoid being attacked by the subframe. We (Mozilla) have a fair amount of experience in this sort of setup: we have a parent frame (the browser UI) that can touch cross-origin subframes (web pages) with asymmetric security checks. We've discovered over the years that unless the access is very carefully mediated in various ways it becomes trivial for the subframe to run script with the permissions of the embedding frame.
While it's possible, obviously, to spec out the exact mediation needed, I just want us to realize that this is NOT a small project that will require a line or two of spec text to get right.
-Boris
