Clarify the risk coming from embedded iframes

w3c / webappsec-post-spectre-webdev

Post-Spectre Web Development

https://w3c.github.io/webappsec-post-spectre-webdev/

Other

17 stars 3 forks source link

Clarify the risk coming from embedded iframes #3

Closed camillelamy closed 3 years ago

camillelamy commented 3 years ago

"With this in mind, our general assumption will be that an origin gains access to any resource which it renders (including images, stylesheets, scripts, frames, etc)." -> frames here means child frames, but also parent frames. I think this might be worth being a bit more explicit about the risk coming from embedded frames that also gain access to your data.

mikewest commented 3 years ago

Quite right. Addressed this in https://github.com/mikewest/post-spectre-webdev/commit/65262d0a128165f7a5deaa06308476effff82a10, adding another sentence, and linking out to OOPIFs.