>>>>> "Mark" == Mark Donnelly <[log in to unmask]> writes:
Mark> Does anyone have better ideas? --Mark
I don't know if this is better or not, but it might be reasonably
simply.
Implement something similar to origin checking in the trusted
javascript.
Carefully control the name types that can be requested.
In particular, require that the itarget name in the initiator match the
origin of the site associated with the current page's URL.
my gut feeling is that is not enough, but I cannot figure out why it is
insufficient.
--Sam
|