> The iframe injection attack is alive and well, unfortunately. > > iframe was deprecated in strict xhtml doctypes and I was really hoping > html5 would follow suit, but no such luck. Jim, A list of iframe vulnerabilities from 2007, and particularly related to Firefox:- Browser cross domain exploits XSS/CSRF reflection attacks CSS and iframes can scan your LAN from the internet! LAN scanning with Javascript and iframes CSS iframe overlays URL redirection Most of the above threats have now been dealt with by Mozilla Firefox. The LAN scanning can still take place, but if you are PW protected the threat stops there. In the case of the RW servers, they are HTML only with the addition of limited SSI and cgi. I've had an iframe with its source located on another server embedded in a RW page for some time and to the best of my knowledge there has never been any attempt to launch an exploit via it. Cross communication with the iframe and its host browser is now virtually impossible. https://developer.mozilla.org/En/Displaying_web_content_in_an_extension_without_security_issues If the iframe concept was to be dropped, then a possibly more secure way would be to use the XMLHttpRequest which can only communicate within the same domain, or in the case of RW within the same sub domain. Barry