@david_bokan @SecurityMB @ChromiumDev Not sure I follow the rationale for limiting to same origin. The attack as outlined would only work if the attacker does control the CSS of the victim page and manages to insert itself as the background URL source of
@tylerlwsmith Absolutely, me too! 😃