- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Wed, 03 Sep 2014 11:07:23 -0400
- To: public-webappsec@w3.org
On 9/3/14, 8:31 AM, Mike West wrote: > Ok. That sounds reasonable. I suppose an attacker who had already gotten > a frame onto a page could embed a frame in that frame that could iterate > through possible URLs. Since we already expose origins via > `window.location.ancestorOrigins` For some values of "we". It's not clear to me that "we" actually wants to expose that information cross-origin.... -Boris
Received on Wednesday, 3 September 2014 15:07:52 UTC