[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

[Michal Zalewski]

On Wed, 1 Oct 2008, Robert O'Callahan wrote:

> I don't think that's secure. The outer page can set the IFRAME's URL to
> contain a #xyz fragment identifier

That's really covered in the original proposal. Honest :P In a kludgy 
manner, of course (permitting fragments, but not permitting onload 
scrolling based on fragments in cross-domain settings), but we thought of 
this one.

/mz