Open Bug 1010011 Opened 6 years ago Updated 7 months ago
Gecko should forbid embedding iframe which has different origins in src and moz
APP(manifest URL) attribute .
Embed iframe with different origins in src and mozAPP(manifest URL) attribute. ex: <iframe mozapp="app://abc.gaia/manifest.webapp" src="app://xyz.gaia/"> Expected result: Gecko will show error and kill the instance. Actual: Gecko creates a instance for this iframe.
This will likely be more complex than a same-origin check. That needs to honor what has be called the "application scope" (there are a couple of mailing list threads about that) and it's not clear yet how we define these. That's important because this should be enforced not only when opening the iframe but also during navigation.
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046 Move all DOM bugs that haven't been updated in more than 3 years and has no one currently assigned to P5. If you have questions, please contact :mdaly.
Priority: -- → P5
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.