@ choie
Well, I reckon all Windows browsers have vulnerability. Where there is scripting allowed from outside the browser’s present domain, it would seem to me that that itself qualifies as a vulnerablity — or as someone above put it: a “security no-no”. How do the browsers in which these scripts run protect themselves from the injection of malicious scripts?
By not allowing you to access the Document Object Model of that site, which no popular browser does. Setting the source of an iframe monitors a single variable within the domain of the caller.
Firefox, Safari, Opera, etc…: document.frame.src == good, document.frame.document… == bad.
Internet Explorer: document.frame.src == bad, document.frame.document… == bad.
Clearly, in neither case do you have the ability to modify content that does not originate at your domain.
Thank you for all the time you’ve put in on this, alterego–and for sharing it with us.