Although devmo does not list at this time a type attribute on <xul:iframe>, it's really a goooood idea to add type="content" to your iframe elements if you're a XUL author and if you're using those iframes to reach arbitrary remote resources. If you don't, the remote resources have chrome access to the container of the iframe...

I discovered this a few minutes ago because my current XULrunner-based app contains a XUL iframe and that iframe reached a document containing the following lines:

if(window.self != window.top &&
!document.referrer.match(/https?:\/\/[^?\/]+\.anonymized\.com\//))
{
top.location.replace(window.location.pathname);
}

Of course, that piece of script trashed all my XUL and replaced it with the remote HTML page... I'm sure you don't want this in your own app. Use type="content" on iframes unless you really want chrome access in your iframe.