- From: Mike West <notifications@github.com>
- Date: Mon, 11 May 2020 00:27:36 -0700
- To: heycam/webidl <webidl@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 11 May 2020 07:27:49 UTC
Hey folks! This can't actually land as-is, given that "cross-origin isolated" is still floating around in a set of PRs against HTML, but I'm hopeful that y'all can give me some direction about the mechanics of defining the `[CrossOriginIsolated]` attribute in the meantime. This patch does the simplest thing possible, by copy/pasting `[SecureContext]` and munging it a bit to define exposure restrictions based upon the "cross-origin isolated" concept rather than the "secure context" concept. This is possibly fine? I considered pulling out the common bits into an "exposure attribute" concept, which would make it simpler to define these two concepts, as well as an attribute related to XSS mitigation that I haven't written up in detail yet (what https://github.com/mikewest/securer-contexts currently calls `[SecureContext=Injection]`). WDYT about the approach? Would it be worth going back to making "exposure attribute" a generic concept? Or is a bit of duplication better for clarity? /cc @annevk @camillelamy @domenic -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/heycam/webidl/pull/883#issuecomment-626522450
Received on Monday, 11 May 2020 07:27:49 UTC