- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 13 Apr 2012 18:02:19 -0400
- To: Ian Hickson <ian@hixie.ch>
- CC: Bobby Holley <bobbyholley@gmail.com>, public-script-coord@w3.org, w3c@adambarth.com, Johnny Stenback <jst@mozilla.com>, Blake Kaplan <mrbkap@mozilla.com>, Daniel Veditz <dveditz@mozilla.com>
On 4/13/12 5:56 PM, Ian Hickson wrote: > On Fri, 13 Apr 2012, Bobby Holley wrote: >> >> I think this is suboptimal behavior. If we value revocation enough to >> spec it [...] > > I don't think we do. It's only specced because that's what browsers did, > and I try to spec what browsers do. Actually, having revocation is very important in some scenarios; otherwise you can't use document.domain securely at all. With the current spec setup you _can_ use it securely but only if you're incredibly careful in terms of what objects you page holds on to from before it set document.domain. It's a bit of a footgun. -Boris
Received on Friday, 13 April 2012 22:02:51 UTC