Pretty crazy. :) I believe most webAPIs that I've seen discussed have limited API access requests to the top level content only, which I think is a good compromise. I'm sure someone will school me on any exceptions though. Lucas.
-- A fanatic is one who can't change his mind and won't change the subject - Sir Winston Churchill On Mar 15, 2012, at 2:29 PM, Zack Weinberg wrote: > On 03/15/2012 10:52 AM, Adrienne Porter Felt wrote: > >> I'd also like to raise the issue of what happens to permissions when >> principals interact. Do webapps have iframes like websites? Can they >> embed advertisements? Do the advertisers then get all of the permissions? > > How crazy would "no iframes in webapps" be? Or perhaps "no cross-origin > iframes in webapps"? > > zw > _______________________________________________ > dev-security mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
