- From: <sird@rckc.at>
- Date: Tue, 15 Feb 2011 20:44:57 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: public-web-security@w3.org
sandboxed iframes have a unique origin, they can't XHR to same domain. they can XHR using CORS.. I guess.. haven't tested -- Eduardo On Tue, Feb 15, 2011 at 12:46 AM, gaz Heyes <gazheyes@gmail.com> wrote: > On 15 February 2011 07:18, sird@rckc.at <sird@rckc.at> wrote: >> >> I wish that JS Workers were completely isolated, and with no XHR, it would >> be a nice feature (maybe as an extra argument marking the code as >> untrusted). >> Anyway, what about a JS Worker triggered from a sandboxed iframe? > > Would a sandboxed iframe allow same origin XHR urls? You'd need to stop that > but even so the point is that defineProperty should be able to disable > properties of an object that you know nothing about or that can change in > time >
Received on Wednesday, 16 February 2011 04:45:49 UTC