Section 2.2.1, event propagation to parent documents:
- This feature creates security issues for containing documents that
use existing inclusion features. Now child documents can unilaterally
decide to trigger any event handlers on any element in the parent
document that contains the child. This may create unexpected security
risks to documents that thought including child content was "safe"
and would not thereby affect its keyboard and mouse handlers.
- This feature creates security issues for the contained document. It
may wish to use an event to simply send a message to a parent
document that is for security reasons otherwise inaccessible.
However, because the Event interface includes the target node, it may
therefore inadvertently expose its whole DOM.
- If cross-document event propagation is to be included, I request
that it be changed so that both parent and child have to consent.
- But better yet, I recommend that cross-document event propagation
be removed, and that instead cross-document communication be designed
in a way that does not overload existing features, to minimize the
security risk. One example would be cross-document messaging, as
implemented in Opera: <http://virtuelvis.com/archives/2005/12/cross- document-messaging> and proposed for standardization by whatwg as
part of Web Apps 1.0: <http://whatwg.org/specs/web-apps/current-work/ #crossDocumentMessages>