- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 23 Oct 2012 10:20:28 -0400
- To: Ian Hickson <ian@hixie.ch>
- CC: Bobby Holley <bobbyholley@gmail.com>, Adam Barth <w3c@adambarth.com>, public-script-coord@w3.org
On 10/23/12 2:34 AM, Ian Hickson wrote: > I need to study whether we should do that, or change the definition of > source browsing context. It'd be a bit weird for them to be different. > Also, I expect that if it's good to remove the logic that's Gecko > currently has to do the Referer stuff, then it'd be equally good to remove > that logic for the other things the source browsing context is used for, > e.g. the sandbox security checks. > > Filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=19662 Security information is associated with compiled script, in the end, not with browsing contexts. Can you point to where we use source browsing contexts for security checks? That seems very odd to me. Also note something I said earlier in this thread: if navigation is triggered by calling click() on an <a> element, the referrer should probably be the URI of the ownerDocument of that element, not anything related to scripts in any way. -Boris
Received on Tuesday, 23 October 2012 14:20:59 UTC