Flash does something similar, but not *precisely* the same. I stand by my statement that the below is insecure.
Adam On Mon, Jun 8, 2009 at 8:08 PM, John Abd-El-Malek<j...@chromium.org> wrote: > BTW this is how Flash does it. > > On Mon, Jun 8, 2009 at 7:47 PM, Adam Barth <aba...@chromium.org> wrote: >> >> On Mon, Jun 8, 2009 at 1:29 PM, vijay<tec...@gmail.com> wrote: >> > We used to use NPN_GetURL with "javascript:document.location" as the >> > URL. In the current implementation, after this script is executed in >> > WebPluginImpl::ExecuteScript (in src/webkit/glue/webplugin_impl.cc), >> > its checking the result value: >> >> This is not a secure way to determine which page embedded the plug-in. >> If you require this value to make a security decision, you should use >> a different approach. >> >> Adam >> >> >> > > --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---