(www.usenix.org)

72 points _vvhw | 1 comments | 25 Sep 19 08:42 UTC | HN request time: 0.201s | source

Show context

floatboth ◴[25 Sep 19 13:13 UTC] No.21070425[source]▶

Wait, how exactly does iframe sandbox not solve everything? Emails definitely should be shown in them, even with client side decryption, you can create an iframe from a data: URI. iframe sandbox is the strongest sandbox possible. Unique origin, no JS execution…

replies(3): >>21070498 #>>21071390 #>>21073009 #

1. ◴[25 Sep 19 17:30 UTC] No.21073009[source]▶

>>21070425 #

↑

DOMPurify, Security in the DOM, and Why We Really Need Both [pdf]