W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Location object identity and navigation behavior

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 8 Jan 2013 04:05:31 +0000 (UTC)
To: Bobby Holley <bobbyholley@gmail.com>
Message-ID: <Pine.LNX.4.64.1301080354040.12992@ps20323.dreamhostps.com>
Cc: whatwg <whatwg@lists.whatwg.org>
On Mon, 7 Jan 2013, Bobby Holley wrote:
> 
> Aside from concerns about stack introspection, the main downside of this 
> approach is that it's a blacklist, rather than a whitelist (like our 
> other security code), so we'll have to be extra careful when 
> implementing anything new on Location. Please keep that in mind when 
> updating the spec. ;-)

Can you elaborate on what is a blacklist?

The way it ended up in the spec is that everything on Location is blocked 
if it's a cross-origin access, except for the 'href' setter and 'replace'.

This is an area that I've already screwed up the security model for twice, 
though, so I would have no trouble believing I screwed it up again...

   http://whatwg.org/html#security-3

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 8 January 2013 04:05:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT