Closed terjanq closed 2 years ago
rubberyuzu
commented
2 years ago Thanks for the issue.
I actually forgot to update the document, and the current implementation hides all the information for cross-origin frames except for bool blocked. I agree that if we expose the name it is a potential leak.
Will update the document. Thanks again!
rubberyuzu
commented
2 years ago Sorry I was confused. Actually, name, id, src should be exposed for debugging. I will update the implementation and the explainer again. But as you said, we are only exposing the original name instead of the updated name.
terjanq
commented
2 years ago In that case it should be fine :)
When reviewing the intent one thing brought my attention and that is a possibility of exposing cross-origin's frame name. It's not immediately clear whether it is an original
nameattribute from the frame, or the value is the actual frame's name which could be changed by an application. I guess that it's meant to be justiframe.getAttribute('name')which is fine. But just in case I wanted to point it out as a possible cross-origin leak (if for example the name was taken asiframe.contentWindow.name).