- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Mon, 05 Jan 2015 13:00:46 -0500
- To: public-webappsec@w3.org
On 1/5/15 11:26 AM, Daniel Kahn Gillmor wrote: > this sounds buggy and prone to breakage. Yes, I fully agree. To be clear, I think making this sort of exception here is a bad idea from a security standpoint. We've seen real-life security bugs due to things like the branching condition bit you describe. I just think that allowing unfettered access to non-https XHR from an https page is an even worse idea. ;) -Boris
Received on Monday, 5 January 2015 18:01:19 UTC