On 13 February 2011 21:54, sird@rckc.at <sird@rckc.at> wrote: > Yeah, that's why it should be same origin. > > The attacker can't do anything new if it's locked to same origin. > What's locked to same origin? The attribute policy? The ability to modify the policy is also an attack vector, if this was ever a true sandbox giving the attacker to modify the behaviour on the page would be a really bad idea IMO. If external domains couldn't create policies using iframes then I guess that would be ok although I would think it would be kinda pointless as sub domain are often used to separate sandboxed content.
Received on Monday, 14 February 2011 10:20:37 UTC