[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Tue Sep 30 06:56:26 PDT 2008

On Wed, 1 Oct 2008, Robert O'Callahan wrote:

> I don't think that's secure. The outer page can set the IFRAME's URL to
> contain a #xyz fragment identifier

That's really covered in the original proposal. Honest :P In a kludgy 
manner, of course (permitting fragments, but not permitting onload 
scrolling based on fragments in cross-domain settings), but we thought of 
this one.


More information about the whatwg mailing list