- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 19 Jan 2011 15:40:44 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-web-security@w3.org, Sid Stamm <sid@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>
> The current text just uses the final URL. Is there some reason every > hop is important? Using the final URL is analogous to how <iframe> > works, for example. Yeah, I meant to say it should not settling for checking the initial URL only (this is a mistake repeated so many times with XMLHttpRequest, etc, that it's becoming very sad). Last URL is obviously fine. > The attacker can always just avoid doing anything that triggers a > SecurityViolation (because triggering SecurityViolations is useless > from the attacker's point of view). The monitoring aspect is mostly > useful for the non-malicious case: to make sure you're not screwing up > your policy somehow. OK, fair point. /mz
Received on Wednesday, 19 January 2011 23:41:36 UTC