While making some changes to my plugin I noticed the following: If one injects an iframe into a webpage and the iframe loads a custom URL (implemented by a custom protocol handler), in Firefox 3.6, the parent page cannot access the content of iframe (due to same-origin policy).
The only flag set for the protocol is `URI_LOADABLE_BY_ANYONE`. But in Firefox 4, the content can be accessed by the parent page. I can reproduce the same behaviour in Firefox 3.6 if I set the flags, `URI_LOADABLE_BY_ANYONE` and `URI_INHERITS_SECURITY_CONTEXT`. Is this an intended change or a bug? If it is intended, where can I find more information about it (https:// developer.mozilla.org/en/Firefox_4_for_developers#Security does not mention anything) and how can I make it behave the same way as in Firefox 3.6? I am relying on this because I want to add user content to the page without letting the parent page have access to it. Any information about it is highly appreciated :) Thank you very much, Felix _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security