Closed rniwa closed 2 years ago
Consider solving this and https://github.com/w3c/longtasks/issues/53
It's true that just looking at attribution
will expose what's going on, but we still need to use some string as the name
.
If we aren't using multiple-contexts
as the name, what would we use?
Can we close this?
Since it's an information leak to disclose whether a cross origin iframe contained another iframe or not
This is information that has been available for as long as JavaScript has been around: the frame tree, including cross-origin frames and their descendants, is traversable through indexed access on the Window object.
At any rate, after two years, I think this is closable.
Since it's an information leak to disclose whether a cross origin iframe contained another iframe or not, this would only apply to the same origin iframe. If that were the case, the script can simply look at
attribution
and infer that there were multiple frames involved.