On 3/11/11 6:34 AM, Felix Kling wrote:
While making some changes to my plugin I noticed the following:
If one injects an iframe into a webpage and the iframe loads a custom
URL (implemented by a custom protocol handler), in Firefox 3.6, the
parent page cannot access the content of iframe (due to same-origin
policy).
The only flag set for the protocol is `URI_LOADABLE_BY_ANYONE`.
But in Firefox 4, the content can be accessed by the parent page.
That seems like a bug, if true. Testcase, please? Ideally in a bug in
bugzilla.
Is this an intended change or a bug?
It's certainly not an intended change.
-Boris
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
