[whatwg] cross-domain scrollIntoView on frames and iframes

Peter Kasting wrote, On 05/04/2009 0.54:
> On Sat, Apr 4, 2009 at 12:56 PM, timeless <timeless at gmail.com> wrote:
>
>   
>> sounds like a security nightmare.
>>     
>
>
> Can you be less vague?  We've had a number of security people vet this
> already, so specific complaints would be very helpful.
>
> PK
It would make clickjacking attacks more precise, by exactly positioning 
the frame content where the attacker wants it to be.
Not that you cannot already be pixel-precise by using absolute 
positioning inside an overflow: hidden div...
Let's say it would make them even more script-kiddies friendly.
--
Giorgio Maone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090405/45a6faa9/attachment.htm>

Received on Saturday, 4 April 2009 23:09:54 UTC