Re: [whatwg/webidl] Consider adding an `[InjectionMitigated]` extended attribute. (Issue #1440)

@domenic: I think a difference with [CrossOriginIsolated] is that conceptually only two APIs fall into the particular threat model it addresses (process-wide XS-Leaks). On the other hand, it would actually make sense to request [InjectionMitigated] for any new API gated behind a permission prompt, since the permission model is relying on XSS not happening on the page that requests it. Of course, whether this is actually doable from a compatibility perspective is a different question :). But at the very least, it means that there should be a lot more APIs for which we can consider requiring [InjectionMitigated] than APIs that require [CrossOriginIsolated].

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/webidl/issues/1440#issuecomment-2401867400
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/webidl/issues/1440/2401867400@github.com>

Received on Wednesday, 9 October 2024 09:55:18 UTC