Prohibiting third-party embedded content would disable media embedded in blogs. Chris
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Elliotte Harold Sent: Friday, September 26, 2008 5:21 PM To: whatwg@lists.whatwg.org Subject: Re: [whatwg] Dealing with UI redress vulnerabilities inherent to the current web 6) Admit that iframes and 3rd party embedded content are broken by design. Eliminate the iframe element completely, and set browsers to *never* load content or communicate with any site except the primary URL of the page. No 3rd party cookies, no 3rd party images, no 3rd party frames, no 3rd party scripts, no 3rd party nothing. Everything on the page comes from the same host. No exceptions. Simple. Secure. Easy to understand. Easy to implement.
