William Chou
William Chou
Yea, the edge case is always true for Gmail and email providers that size the email iframe to the AMP page height.
Or horizontal lines for each level to see how far we are between the next lower/higher level. :)
Safe mode/DOMPurify won't allow injection of script tags that execute code anyways, so this is only relevant to the "unsafe" mode. Tangent: Should we rename "safe" mode to "AMP" mode?
Low priority but let's keep it open. Using unsupported properties may cause non-obvious downstream bugs e.g. `undefined` being passed around and causing something else to break.
If Proxy implementation for this is small enough, might be sufficient to have a runtime check (e.g. enabled via hash param on window location) rather than compile-time via separate binary.
@ampproject/wg-access-subscriptions
> So if a hacker changes the "url" parameter to some other domain How would this happen? An XSS on canonical-site.com?