On Tue, Jun 9, 2009 at 9:33 AM, John Abd-El-Malek<[email protected]> wrote: > On Wed, Jun 10, 2009 at 12:30 AM, Adam Barth <[email protected]> wrote: >> I'm hesitant to say because I don't want Vijay to treat this as advice >> on the "right" way to determine which page included his plug-in. The >> approach of trying to read the document's location via JavaScript is >> fundamentally insecure. > > I think if we tell someone not to do something because it's insecure, we > need to at least tell them about the most secure way we know about, even if > it's not perfect. IMO unless Vijay's plugin's is on a large number of > machines, it won't be a an attractive target for attackers.
I do know a secure way to do this, but it's extremely complex. I don't think it would be responsible for me to try to explain it in this thread because I'd probably screw up the explanation. I should document it carefully sometime, but that's not high on my list of priorities. Adam --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
