On Tuesday, February 17, 2015 at 2:17:18 PM UTC+1, Benjamin Francis wrote: > On 17 February 2015 at 05:32, Anders Rundgren <[email protected]> wrote: > <iframe trustedapp="com.example.PaymentRequest" ... ></iframe> > > > > <iframe mozapp="app://myapp.com" ...></iframe> > > > > > This code should appear to the browser as coming from a virtual domain.
Interesting! If the docs are correct this is currently only available for Firefox OS. > > > > app://myapp.com > > > Unfortunately it turns out that it isn't safe to embed trusted code inside > untrusted code in this way because it provides a vector for clickjacking > attacks. That's indeed a drawback although the primary motivation behind my take on trusted web application is protecting the platform against malicious server code. Protecting users against malicious servers seems like a more generic issue. I guess it is technically very difficult forbidding alien windows covering the trusted iframe? Anders _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
