- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 03 Sep 2010 14:16:04 -0400
On 9/3/10 1:55 PM, Jonas Sicking wrote: > On Fri, Sep 3, 2010 at 10:47 AM, Adam Barth<w3c at adambarth.com> wrote: >> I'm not sure it makes much of a difference from a security point of >> view. > > Agreed. Pages can only move elements between pages that are in the > same security context anyway so I can't really think of any attacks > that any of the approaches would enable or disable. Could it cause script to run from a <script> element that someone sticks in a same-origin but sandboxed iframe if the non-sandboxed parent moves some part of the DOM out before the parse is done? -Boris
Received on Friday, 3 September 2010 11:16:04 UTC