Let’s say you used your LottsaMoneyBank web site to access your account but didn’t log out. It’s possible for another unscrupulous web page to create a hidden “IFrame”, load up a LottsaMoneyBank page, and since you aren’t logged out, attempt to do things with that page (for example, transfer money).
This is a “Cross-Site Scripting” (XSS) attack, and recently Google Chrome released version 30 that keeps JavaScript from accessing any frame owned by another domain (JavaScript now throws a “SecurityException”). On one hand, this offers great increased protection to Chrome users. On another, it has lead to Google Maps not working in cases when other iFrames (such as AddThis) is on the page. Similarly it has broken other tools like FCKEditor.
So to support Google Chrome 30+, we web developers need to add “try-catch” blocks to catch this new SecurityException when we access frames. Time to get to work.
Oy!