@BRIAN_____ I think @troyhunt is using the term "context" too loosely..
-
-
-
@ericlaw@troyhunt I understand what you mean. it's still bad. And, it's terrible that it is the default on the web. /cc@frgx@BrendanEich -
@BRIAN_____ it is terrible that on anyone can execute code in some domain that has no privileges? CC@ericlaw@troyhunt@BrendanEich -
@frgx@ericlaw@troyhunt@BrendanEich It does have some privileges, e.g. allow-top-navigation. Plus, DoubleClick chooses privs, not page. -
@frgx@ericlaw@troyhunt@BrendanEich IMO, it's terrible that "don't let an ad do anything outside its box until clicked" isn't the default. -
@BRIAN_____ yes iframe sandbox doesn't have the adoption it should cc@ericlaw@troyhunt@BrendanEich -
@frgx@ericlaw@troyhunt@BrendanEich Yes. I think we need to enhance iframe sandbox to get the click-to-allow-top-navigation experience.
End of conversation
New conversation -
-
-
@BRIAN_____ is it xss on http://troyhunt.com or on the ad domain? Cc@troyhunt - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.