On Monday, November 25, 2019 at 10:38:28 PM UTC+1, s.h...@gmail.com wrote:
> 1. If a user already gave permission to certain origin (e.g. skype.com), and
> that origin had HTML injection, does that mean attacker can now silently
> inherit permission from skype.com?
>
> 2. If so, how can a website mitigate the risk of permission being silently
> taken to third party website?
Yes, I agree it might be a thing we should consider because we grant permission
access broader. However, if the origin is vulnerable, I don't think we could
protect more. If you have granted access to the origin, the origin can expose
data to other via postMessage (or other mechanisms).
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
