It seems the problem equally affects embedded objects can be loaded from a different origin as well.
Chris _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert O'Callahan Sent: Friday, September 26, 2008 3:31 AM To: Michal Zalewski Cc: Maciej Stachowiak; [email protected] Subject: Re: [whatwg] Dealing with UI redress vulnerabilities inherent tothe current web IMHO the basic problem here is allowing IFRAMEs to be cross-origin by default. That causes many problems, some of which you know well, and others you probably don't (e.g. http://lists.w3.org/Archives/Public/www-svg/2008Sep/0112.html ). In fact, in an ideal world, I think we'd default to same-origin restrictions on everything --- IFRAMEs, images, scripts, etc --- and use a spec like Access Controls to let sites opt-in to allowing their resources to be loaded from specific other origins.
