- From: Artur Adib <arturadib@gmail.com>
- Date: Thu, 3 Jun 2010 17:55:40 -0400
- To: robert@ocallahan.org
- Cc: public-html@w3.org, Leonard Rosenthol <lrosenth@adobe.com>, Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>
On Thu, Jun 3, 2010 at 5:37 PM, Robert O'Callahan <robert@ocallahan.org> wrote: > > Could an attacker use a custom Flash object to force top-level navigation? Good question. Adam- Do you happen to know if that's possible in WebKit? I mean, I don't even know if Flash has access to 'top.location', but if it does, will @sandbox protect it? At any rate, since most of our problems are Javascript-based, that's a risk we're willing to take. Hopefully the plugin APIs will soon respect @sandbox, but until then, as I have argued "allow-plugins" is still useful, and can be implemented in parallel with the APIs (see my previous message). -Artur
Received on Thursday, 3 June 2010 21:56:12 UTC