- From: Mike West <notifications@github.com>
- Date: Wed, 13 May 2020 06:50:39 -0700
- To: heycam/webidl <webidl@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 13 May 2020 13:50:56 UTC
> I think my suggestion still allows inversion: `[Context=Insecure]` or such. That's fair. I think the inversion is clearer as distinct attributes, but it certainly works as `[Context=UnsafelyExposedToNetworkAttackers]` or something similar. I can certainly live with that spelling. That said, let's go back to your suggestion that: > ... we can have only one check: whether descendants have `[Context]` or not. This works for secure transport and cross-origin isolation, as the latter implies the former. Injection mitigation is currently orthogonal, evaluating whether a CSP is present, not whether the context is securely delivered. Perhaps we'd say that any contextual exposure would require secure contexts? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/heycam/webidl/pull/883#issuecomment-627999924
Received on Wednesday, 13 May 2020 13:50:56 UTC