On 2015-03-12 9:45 AM, Boris Zbarsky wrote:
On 3/12/15 6:28 AM, Anne van Kesteren wrote:
It does seem like there are some improvements we could make here. E.g.
not allow an <iframe> to request certain permissions. Insofar we
haven't already.
That doesn't help much; the page can just navigate itself to the attack
site instead of loading it in a subframe. Combined with fullscreen
spoofing to make it look like it's still the old page...
Well, top level navigation cancels the fullscreen mode, right?
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
