smcgregor
commented
12 years ago My central concern with this issue is that someone could click a non-whitelisted link, which would expand to take up the entire page. The user would then think that the displayed content is from the address found in the address bar. After more experience with the way our iframes expand into host pages, I don't believe this should be an issue. If experience finds this to be a problem, we should look into ways of reducing phishing risk via limiting script execution in the injected iframes to the scripts stored in the extension.
We need a way to inform users what domain is displaying the non-white list content.