- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 10 Jun 2009 13:15:41 +0200
- To: "Tyler Close" <tyler.close@gmail.com>, "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Adam Barth" <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Wed, 10 Jun 2009 01:01:01 +0200, Tyler Close <tyler.close@gmail.com> wrote: > http://waterken.sourceforge.net/aclsdont/ > > All of the vulnerabilities discussed in that paper also apply in the > web browser context. In addition, the situation is worse, since not > all stack frames are visible to the browser, since it only sees > interactions at the granularity of origins. For example, in a Caja, > ADsafe or Facebook scenario where widgets are running in the same > page, stack introspection of origins is useless, since there's only > the one origin. This whole approach is a dead end for where the Web is > today and is going tomorrow. I think for those scenarios you really want to use a sandboxed <iframe> so the code from ads gets its own origin and can only communicate with the main page through messages. If sandboxed <iframe>s are adopted that would also change your prediction of where the Web is going if I understand your point correctly. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 10 June 2009 11:16:35 UTC