W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 22:33:29 +0000
Message-ID: <AANLkTimU=vD+gWXdv_sJMPWF3=5TfGDvg76UcK2KBOU5@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: Gervase Markham <gerv@mozilla.org>, public-web-security@w3.org
On 28 January 2011 22:26, Brandon Sterne <bsterne@mozilla.com> wrote:

> If the <iframe> is in a different domain than the target site, how can
> it inject script into the target site?
>

<iframe src="//google.com" onload="this.contentWindow.location='//
microsoft.com'"></iframe>

location is settable across any domain.
Received on Friday, 28 January 2011 22:34:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 22:34:04 GMT