- From: David Baron <notifications@github.com>
- Date: Fri, 17 Jul 2015 13:55:58 -0700
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Received on Friday, 17 July 2015 20:56:25 UTC
It also seems like it might be worth explaining slightly more of the security aspects that go *beyond* the Web's origin model. Gecko has linking prohibitions that apply to file URLs that are separate from origin checks, that, e.g., forbid inclusion of images from http to file and similar, to prevent attacks like the ones mentioned briefly in Security Considerations (e.g., using files in /dev/ for various things such as depleting randomness sources). (In Gecko, I think these are the CheckLoadURI* checks.) It also may be worth explaining origins (e.g., different directories being different origins) as well. --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/issues/59#issuecomment-122413666
Received on Friday, 17 July 2015 20:56:25 UTC