Re: [Content Security Policy] Proposal to move the debate forward

On 28 January 2011 22:26, Brandon Sterne <bsterne@mozilla.com> wrote:

> If the <iframe> is in a different ___domain than the target site, how can
> it inject script into the target site?
>

<iframe src="//google.com" onload="this.contentWindow.___location='//
microsoft.com'"></iframe>

___location is settable across any ___domain.

Received on Friday, 28 January 2011 22:34:02 UTC