W3C home > Mailing lists > Public > www-dom@w3.org > January to March 2010

Re: trusted property

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 03 Mar 2010 16:51:01 -0500
Message-ID: <4B8ED9C5.30700@mit.edu>
To: Anne van Kesteren <annevk@opera.com>
CC: Olli@pettay.fi, www-dom@w3.org
On 3/3/10 4:47 PM, Anne van Kesteren wrote:
>> Use case is that XBL2 widget is provided by some other "domain" than
>> the page. Especially if the widget is from UA, it needs to be able to
>> check if the event is user initiated so that the widget can prevent
>> the page to do evil things like unwanted popups.
>
> That does not seem like a good reason to expose it to Web content as
> well. But maybe I'm missing something.

Any time you're doing mashups, and any time different parts of the 
mashup have different permissions (not an issue right now, but will 
become one with XBL2 and may become one if Brendan does the 
data-tainting stuff he wants to do in JS) there needs to be a way for 
script from origin A to not be trickable by events made up by script 
from origin B.

-Boris
Received on Wednesday, 3 March 2010 21:51:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 22 June 2012 06:14:04 GMT