On Wed, 1 Oct 2008, Robert O'Callahan wrote:
I don't think that's secure. The outer page can set the IFRAME's URL to contain a #xyz fragment identifier
That's really covered in the original proposal. Honest :P In a kludgy manner, of course (permitting fragments, but not permitting onload scrolling based on fragments in cross-domain settings), but we thought of this one.
/mz
