[whatwg] some thoughts on sandboxed IFRAMEs
Aryeh Gregor
Simetrical+w3c at gmail.com
Mon Jan 25 09:39:04 PST 2010
On Mon, Jan 25, 2010 at 1:29 AM, Adam Barth <whatwg at adambarth.com> wrote:
> That depends what information the attacker encodes in the host name.
> Recall that we're imaging the attacker gets to run JavaScript within
> the sandbox
If we're assuming that, then yes, it's probably hopeless. But are we
assuming that? The given use-case was webmail -- that would be
expected to disable scripts in the sandbox, no?
> The point is that stopping exfiltration is a losing battle that we
> shouldn't bother to play.
Even if scripting is disabled?
More information about the whatwg
mailing list