The spec should mention that even after MessageEvent.origin's value has been
checked, MessageEvent.data should also be checked for structural correctness,
because if the target window contains an XSS hole, improper validation of
incoming messages could result in the target window's XSS hole
On Mon, 26 May 2008, Ojan Vafai wrote:
What happens if an iframe is loaded with sandbox set and then the
property it is unset? What security origin is it in?
I've clarified the spec to ensure that the flag only takes effect when the
browsing context is navigated and the Document is created.
(Please only cc one mailing list when replying, to reduce cross-posting.)
On Sun, 25 May 2008, Jon Ferraiolo wrote:
Olaf suggested that there might be another attribute to propagate
events. This is definitely highly desirable in some scenarios. Note that
the CDF WG has done some work that
On Thu, Feb 12, 2009 at 8:41 AM, Boris Zbarsky bzbar...@mit.edu wrote:
Garrett Smith wrote:
In Shiretoko, a script, even a deferred script, will not run until the
stylesheet is loaded.
Correct.
Can we make an improvement on that, or to make that improvement
configurable to the page