Re: [Content Security Policy] Proposal to move the debate forward from gaz Heyes on 2011-01-28 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 22:33:29 +0000
To: Brandon Sterne <bsterne@mozilla.com>
Cc: Gervase Markham <gerv@mozilla.org>, public-web-security@w3.org
Message-ID: <AANLkTimU=vD+gWXdv_sJMPWF3=5TfGDvg76UcK2KBOU5@mail.gmail.com>

On 28 January 2011 22:26, Brandon Sterne <bsterne@mozilla.com> wrote:

> If the <iframe> is in a different domain than the target site, how can
> it inject script into the target site?
>

<iframe src="//google.com" onload="this.contentWindow.location='//
microsoft.com'"></iframe>

location is settable across any domain.

Received on Friday, 28 January 2011 22:34:02 UTC