On Fri, Oct 3, 2014 at 12:20 PM, J Sisson <sisso...@gmail.com> wrote: > If the javascript contains an XMLHTTPRequest object, it can call out > to a different server (than the one you are visiting) without your > explicit knowledge, download content, and do basically whatever the > user the browser is running as can do, barring browser sandboxing,
Also, Chromium and Firefox don't implement any OS-level sandboxing on OpenBSD. If anyone's interested in helping to fix that, see http://crbug.com/378813.