[EMAIL PROTECTED] wrote: > One of the most important features lacking IMHO is the ability to > restrict what hosts that are 'script src'd' can do. Currently they > have full DOM access > which is contributing towards drive by malware on ad networks and > other nastiness.
Not if the ads are in an <iframe>, surely? > We need the ability to allow Javascript to be hosted > on a third party domain, but to restrict what resources that JS can > access. For example allow an ad network to create image objects with > links, but disallow cookie access or redirections. Lots of > possibilities here. I believe Hixie has recently proposed some HTML5 additions in this area. Have you seen them? Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
