W3C home > Mailing lists > Public > public-geolocation@w3.org > June 2009

Re: Restricting API access

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 15 Jun 2009 16:56:56 +0000 (UTC)
To: Erik Wilde <dret@berkeley.edu>
Cc: "public-geolocation@w3.org" <public-geolocation@w3.org>
Message-ID: <Pine.LNX.4.62.0906151654340.16244@hixie.dreamhostps.com>
On Mon, 15 Jun 2009, Erik Wilde wrote:
> that's really great to hear! and does that policy apply to 3rd party 
> scripts (i.e., not just iframes) as well?

It's not practically possible to limit anything to a per-script basis in 
HTML, sadly. A script from one origin running in the context of a second 
origin is able to generate a script from that second origin easily, and 
there's not really any way to detect this.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 15 June 2009 16:57:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:50:56 UTC