- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 23 Oct 2012 22:03:25 +0000 (UTC)
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- cc: Bobby Holley <bobbyholley@gmail.com>, Adam Barth <w3c@adambarth.com>, public-script-coord@w3.org
On Tue, 23 Oct 2012, Boris Zbarsky wrote: > On 10/23/12 2:34 AM, Ian Hickson wrote: > > I need to study whether we should do that, or change the definition of > > source browsing context. It'd be a bit weird for them to be different. > > Also, I expect that if it's good to remove the logic that's Gecko > > currently has to do the Referer stuff, then it'd be equally good to remove > > that logic for the other things the source browsing context is used for, > > e.g. the sandbox security checks. > > > > Filed https://www.w3.org/Bugs/Public/show_bug.cgi?id=19662 > > Security information is associated with compiled script, in the end, not > with browsing contexts. > > Can you point to where we use source browsing contexts for security > checks? That seems very odd to me. The navigation algorithm uses the sandbox flags from the source browsing context to determine whether the navigation is allowed, per the spec. I think it probably makes sense to change this to the entry script as well. > Also note something I said earlier in this thread: if navigation is > triggered by calling click() on an <a> element, the referrer should > probably be the URI of the ownerDocument of that element, not anything > related to scripts in any way. That's already the case, per spec. (The click() method causes, in due course, the activation behavior to trigger, which for <a> is defined as, in the simple case, "follow the hyperlink", which itself is defined as using the browsing context of the Document of the element as the source browsing context.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 23 October 2012 22:03:48 UTC