How does Google Wave & iGoogle prevent XSS by a widget?

If you've used Google Wave or iGoogle you have probably seen that you can insert widgets that are made by third parties without approval. My question is: How does prevent the widge from performing XSS or steak co开发者_如何学运维okies? Are the widgets loaded in an <iframe>? If yes, then what prevents them from redirecting you to another page?

Thanks

Yes, they use iframes to host the untrusted content. They cannot steal cookies because this content is hosted on a different domain (gmodules.com), and the browser prevents cross-domain interaction.

Regarding redirection, a module hosted in an iframe CAN change the window.location (but surprisingly, cannot read it). So, it is possible for malicious code in a user-uploaded module to take you to a spoofed google login page in an attempt to steal your password.

I assume it is because those widgets would be banned if they did so.

The HTML5 group is working on a real(technical, rather than legal) solution to this problem using the "sandbox" attribute in iframes.

They can redirect you to another page, as far as i know.