- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 15 Apr 2015 09:45:27 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Domenic Denicola <d@domenic.me>, Matthew Wolenetz <wolenetz@google.com>, Aaron Colwell <acolwell@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, WHATWG <whatwg@whatwg.org>, Brad Hill <hillbrad@gmail.com>, Ryan Sleevi <sleevi@google.com>, "public-html-media@w3.org" <public-html-media@w3.org>
On 14 April 2015 at 22:16, Anne van Kesteren <annevk@annevk.nl> wrote: > None of that should be particularly hard, though I do worry that the > further we get away from Response, the more we might lose sight of > what we are trying to protect and make mistakes. Indeed, the risk of error is definitely a concern. A similar practice (marking things with origins) happens all over the place in media code. It requires discipline, but it isn't especially difficult. I believe that the easiest way to avoid this is to make an attempt to read Response.body raise a SecurityError if the origin is different (in Firefox terms, we would say "if the response principal is not subsumed by the script principal").
Received on Wednesday, 15 April 2015 16:45:57 UTC