Good point, it was dpm that wasn't secured. http://codereview.appspot.com/32052/show
--John On Thu, Mar 26, 2009 at 4:11 PM, Brian Eaton <[email protected]> wrote: > wpm is safe as well. From rpc.js function gadgets.rpc.call(). > > case 'wpm': // use window.postMessage. > var targetWin = targetId === '..' ? parent : frames[targetId]; > var relay = gadgets.rpc.getRelayUrl(targetId); > if (relay) { > targetWin.postMessage(rpcData, relay); > } > break; >
