- From: <bugzilla@jessica.w3.org>
- Date: Tue, 11 Nov 2014 13:58:28 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=27271
Henri Sivonen <hsivonen@hsivonen.fi> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |27302
--- Comment #11 from Henri Sivonen <hsivonen@hsivonen.fi> ---
(In reply to Mike West from comment #10)
> (In reply to Henri Sivonen from comment #9)
> > Hmm. Actually, my comment 7 might have been wrong regarding whether the
> > algorithm is trying to do what I want. It loops up the browsing context
> > chain only for srcdoc. I meant to loop up the chain for all docs and fail if
> > anything in the chain is untrusted.
>
> Best to file a new bug for that.
Bug 27302.
> I think I agree that that's what we should
> put in the spec, but it doesn't match Chrome's current behavior. I believe
> that's probably a reason to change Chrome, but we'll have to think about the
> impact (e.g. Netflix would break today).
I take it that you are referring to Web Crypto. As noted in bug 27302, the
reason for restricting Web Crypto and the reason for restricting most other
APIs that need restricting is different, so it's not unreasonable to apply
different levels of restriction.
--
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Tuesday, 11 November 2014 13:58:29 UTC