On Wed, 10 Jun 2009 01:01:01 +0200, Tyler Close <[email protected]> wrote: > http://waterken.sourceforge.net/aclsdont/ > > All of the vulnerabilities discussed in that paper also apply in the > web browser context. In addition, the situation is worse, since not > all stack frames are visible to the browser, since it only sees > interactions at the granularity of origins. For example, in a Caja, > ADsafe or Facebook scenario where widgets are running in the same > page, stack introspection of origins is useless, since there's only > the one origin. This whole approach is a dead end for where the Web is > today and is going tomorrow.
I think for those scenarios you really want to use a sandboxed <iframe> so the code from ads gets its own origin and can only communicate with the main page through messages. If sandboxed <iframe>s are adopted that would also change your prediction of where the Web is going if I understand your point correctly. -- Anne van Kesteren http://annevankesteren.nl/
