W3C home > Mailing lists > Public > public-script-coord@w3.org > April to June 2012

Re: Proposal: Security checks after same-origin revocation with document.domain

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 13 Apr 2012 22:38:18 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
cc: Bobby Holley <bobbyholley@gmail.com>, public-script-coord@w3.org, w3c@adambarth.com, Johnny Stenback <jst@mozilla.com>, Blake Kaplan <mrbkap@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
Message-ID: <Pine.LNX.4.64.1204132237430.22654@ps20323.dreamhostps.com>
On Fri, 13 Apr 2012, Boris Zbarsky wrote:
> On 4/13/12 5:56 PM, Ian Hickson wrote:
> > On Fri, 13 Apr 2012, Bobby Holley wrote:
> > > 
> > > I think this is suboptimal behavior. If we value revocation enough to
> > > spec it [...]
> > 
> > I don't think we do. It's only specced because that's what browsers did,
> > and I try to spec what browsers do.
> 
> Actually, having revocation is very important in some scenarios; 
> otherwise you can't use document.domain securely at all.

Can you elaborate on that?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 13 April 2012 22:38:43 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:06 UTC