This issue was reported after the Security review of XBL, jag asked me to make a bug out of the issue.
I would like even more: Make a pref so everything loads from same origin. By "everything" mean HTML and XUL elements like IFRAME. This has privacy implications. This is already done for <img>, but <iframe> bypasses it. I have actually seen some invisible <iframe>s (IIRC they came from doubleclick) and don't see any reason for them except for tracking user's web surfing.
This is a request for a pref, so it doesn't make sense for it to be security-sensitive. How would this pref be useful?
You need to log in before you can comment on or make changes to this bug.