> I wonder if we have enough information when dispatching the WebChannel message > here [...] to detect that it's coming from an iframe or other unexpected source :pauljt talked through this with me a bit, and it doesn't sound like there's much we could do here; if the child process is sufficiently compromised blown then it can make itself indistinguishable from a "good" login page. I think the right path forward on the FxA front is Bug 1538024, removing the ability for web content to sign the browser in to sync.
Bug 1538008 Comment 3 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
> I wonder if we have enough information when dispatching the WebChannel message > here [...] to detect that it's coming from an iframe or other unexpected source :pauljt talked through this with me a bit, and it doesn't sound like there's much we could do here; if the child process is sufficiently compromised then it can make itself indistinguishable from a "good" login page. I think the right path forward on the FxA front is Bug 1538024, removing the ability for web content to sign the browser in to sync.