Re: Cross origin?
"To actually do something with this you would need a user to download an HTML file and run it locally. If you can get someone to do that, you'll probably be doing something far nastier than locking up their PC."
Like in an email? Maybe using a fake "you email client doesn't support HTML, click here to poen in your browser" type of attack?