- From: Walter H. <walter.h@mathemainzel.info>
- Date: Wed, 9 Aug 2017 07:28:57 +0200
- To: "Luis Barguñó Jané" <luisbargu@gmail.com>
- Cc: "Walter H." <walter.h@mathemainzel.info>, ietf-http-wg@w3.org
On Tue, August 8, 2017 22:41, Luis Barguñó Jané wrote: >> >> after the 3rd question you will allow it for the whole site, believe me >> ... >> otherways the non existence of a serious use case is just proven ... >> > > The permission is per-origin, exact this is a problem ... you MUST give permission per-request and not per-origin ... when you have given the permission for www.getpizza.com you also have given the permission for <IMG SRC="https://www.getpizza.com/trackpixel.gif"> which could be found anywhere, where there is definitely no legit use case and a not acceptable raise of the vector ... have it? > so no need for a 3rd question. The > permission > is the same as the JS API. see above ...
Received on Wednesday, 9 August 2017 05:29:23 UTC