Adam Barth <w3c@adambarth.com> wrote:> attacker cannot execute script in the sandboxed document itself, > but he/she can trigger a navigation to another (non-sandboxed) > document, which can execute script. I'm fine with that--if the site is worried about the effect on a containing doc they should use the frame attribute. If they're using CSP then they at worried about that specific page being abused. -DanReceived on Friday, 4 November 2011 18:32:31 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 November 2011 18:32:32 GMT