On Monday, November 25, 2019 at 10:38:28 PM UTC+1, [email protected] wrote:
> 1. If a user already gave permission to certain origin (e.g. skype.com), and
> that origin had HTML injection, does that mean attacker can now silently
> inherit permission from skype.com?
>
> 2. If so, how can a website mitigate the risk of permission being silently
> taken to third party website?
Yes, I agree it might be a thing we should consider because we grant permission
access broader. However, if the origin is vulnerable, I don't think we could
protect more. If you have granted access to the origin, the origin can expose
data to other via postMessage (or other mechanisms).
_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform
