Hello,
If you've used Google Wave or iGoogle you have probably seen that you can insert widgets that are made by third parties without approval. My question is: How does prevent the widge from performing XSS or steak cookies? Are the widgets loaded in an <iframe>? If yes, then what prevents them from redirecting you to another page?
Thanks
I assume it is because those widgets would be banned if they did so.
The HTML5 group is working on a real(technical, rather than legal) solution to this problem using the "sandbox" attribute in iframes.
Yes, they use iframes to host the untrusted content. They cannot steal cookies because this content is hosted on a different domain (gmodules.com), and the browser prevents cross-domain interaction.
Regarding redirection, a module hosted in an iframe CAN change the window.location (but surprisingly, cannot read it). So, it is possible for malicious code in a user-uploaded module to take you to a spoofed google login page in an attempt to steal your password.