On Mon, Apr 9, 2012 at 4:23 PM, Tyler Close <[email protected]> wrote: > On Mon, Apr 9, 2012 at 3:12 PM, Ian Hickson <[email protected]> wrote: >> Just wait for the iframe to >> appear and then navigate it to the mailto: handler with the parameters you >> want.
That attacker has to navigate the iframe to the RPH handler URL with the embedded mailto URL, not the mailto URL directly. Using the mailto URL directly would cause the browser to run through its RPH code a second time, causing the user to see a second Picker dialog, so the attack is no longer invisible to the user. --Tyler
