[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Michal Zalewski
lcamtuf at dione.cc
Fri Sep 26 09:43:41 PDT 2008
On Fri, 26 Sep 2008, Elliotte Harold wrote:
> Absolutely false. The media simply needs to be served from the same host
> the blog itself is. This is how almost all the media in my blogs works
> today. What little content comes from a 3rd party site in my blogs
> (mostly from laziness) could easily be moved to the sites that serve the
> blogs.
I kinda assumed this suggestion was tongue-in-cheek, but if not - banning
cross-domain IFRAMEs to fix one flaw, without providing viable methods for
sandboxing untrusted same-origin content, would leave web developers with
no tools to deal with quite a few classes of major security issues.
/mz
More information about the whatwg
mailing list