On Wed, May 6, 2009 at 11:55 PM, Aaron Boodman <[email protected]> wrote: > What about a setup where the content rendered in the tab area is > running on chrome://, but contains a frame that hosts the actual feed > running on http://foo.com?
Sure, we could do that. Or even better is if the outer page is a chrome-extension. Presumably we'll have a "subscribe to feed" API for extensions? > Adam, what is the concern with having the feed run in the context of > the hosting site? That they might XSS themselves? There are two concerns: 1) The site might XSS itself by aggregating content from third parties into its RSS feed. Last time I looked into this, there were lots of examples of these, even on Google properties. 2) Our feed preview template might be screwed up and let the feed XSS the template. In a poor design, this might let the feed auto-subscribe the user to itself. Adam --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
