- From: Anne van Kesteren <notifications@github.com>
- Date: Wed, 28 Jun 2017 22:53:47 +0000 (UTC)
- To: w3c/FileAPI <FileAPI@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 28 June 2017 22:54:32 UTC
> It could then for instance load an iframe or instantiate a plugin from the blob's content; this would give the attacker script execution in the blob's (and hence its creating app's) origin. How? Would the blob iframe and its parent not be cross-origin? Or you assume the blob iframe has unsafe postMessage() usage or some such? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/FileAPI/issues/74#issuecomment-311814421
Received on Wednesday, 28 June 2017 22:54:32 UTC