Re: Understanding the security model for the sandbox directive

Adam Barth <> wrote:> attacker cannot execute script in the sandboxed document itself,
> but he/she can trigger a navigation to another (non-sandboxed)
> document, which can execute script.

I'm fine with that--if the site is worried about the effect on a containing doc they should use the frame attribute. If they're using CSP then they at worried about that specific page being abused.


Received on Friday, 4 November 2011 18:32:31 UTC