On 3/12/15 3:31 PM, Aryeh Gregor wrote:
2) Attacker opens a background tab and navigates it to http://b.com (I can't think of a JavaScript way to do this, but if there isn't one, making a big <a href="b.com" target=_blank> that covers the whole page would work well enough)
This is presuming user interaction. I agree that attacks that rely on user interaction are also a problem here, but I'm _really_ scared by the potential of no-interaction needed attacks, which can happen when the user is not even actively using the computer. Maybe it's just me.
-Boris _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
