On 3/12/15 6:28 AM, Anne van Kesteren wrote:
It does seem like there are some improvements we could make here. E.g. not allow an <iframe> to request certain permissions. Insofar we haven't already.
That doesn't help much; the page can just navigate itself to the attack site instead of loading it in a subframe. Combined with fullscreen spoofing to make it look like it's still the old page...
-Boris _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
