Split from bug 312124 comment 11 (and several surrounding comments). about:blank pages currently have an "anybody can touch me" policy. This should be changed to be more like data: URLs -- inheriting the principal of the script that loaded it, or if statically src'ed, the principal of the page. I think the current behavior introduces an XSS hole for any page that uses DOM 2 with about:blank to display information, and makes security-related code in Gecko more complicated than it needs to be.
*** This bug has been marked as a duplicate of 332182 ***
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.