If someone gets to your secure site via a <a target="_blank">, you're *not* allowed to use secure-only features.https://github.com/w3c/webappsec-secure-contexts/issues/42 …
-
-
I see no reason a page would actively undermine its security by talking to an unsecure page on purpose.
-
we've seen devs work around HTTPS restrictions by having a tiny HTTPS page which they use as a proxy via postMessage
- 10 more replies
New conversation -
-
-
I think that's a case for not allowing opener access across security boundaries at all in this case. Different thing.
-
You’re absolutely right!
@jaffathecake
End of conversation
New conversation -
-
-
your examples are not relevant. they show the popup hacking the main page, not the reverse.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Note the window that will get its security restricted has access to the unsecure page, not the other way around.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.