Clarified the use of the allow-same-origin attribute #1355
Conversation
|
cc @Meggin LGTM. Is there an opportunity to enhance the error message in this case? |
| @@ -23,7 +23,7 @@ Displays an iframe. | |||
| - `amp-iframe` may not appear close to the top of the document (except for `click-to-play` iframes as described below). They must be either 600px away from the top or not within the first 75% of the viewport when scrolled to the top – whichever is smaller. NOTE: We are currently looking for feedback as to how well this restriction works in practice. | |||
| - They are sandboxed by default. [Details](#sandbox) | |||
| - They must only request resources via HTTPS or from a data-URI or via the srcdoc attribute. | |||
| - They must not be in the same origin as the container unless they do not allow `allow-same-origin` in the sandbox attribute. | |||
| - They must not be (or expect to be) in the same origin as the container. If you want this behaviour you should add the `allow-same-origin` attribute. | |||
There was a problem hiding this comment.
I think this can be further clarified. I'll explain the reason for this rule, since it is in place for DevExp reasons.
Doc X on origin A could load an iframe on origin A and then the iframe could change the doc. But when doc X would be loaded from the AMP cache the its origin would change and the iframe no longer had access, which might break the page.
This is why we want to make the cases where they are on the same origin behave the same as if they weren't. This is not actually for security reasons, since our check can be circumvented with a simple redirect.
There was a problem hiding this comment.
I see your point, but I'm not sure I see how to implement it. Could you suggest a change?
|
Filed ampproject/amp.dev#15 to track this |
|
Closing this pull request due to the addition of: https://github.com/ampproject/amphtml/blob/master/spec/amp-iframe-origin-policy.md which documents the same thing in more detail. |
No description provided.