My sense is that's an acceptable risk given that this information commonly leaks in document.referrer anyway. Using sandbox sounds like a worthwhile backstop though. Adam