Re: [whatwg/webidl] Consider adding an `[InjectionMitigated]` extended attribute. (Issue #1440) from Camille Lamy on 2024-10-09 (public-webapps-github@w3.org from October 2024)

From: Camille Lamy <notifications@github.com>
Date: Wed, 09 Oct 2024 02:55:14 -0700
To: whatwg/webidl <webidl@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/webidl/issues/1440/2401867400@github.com>

@domenic: I think a difference with [CrossOriginIsolated] is that conceptually only two APIs fall into the particular threat model it addresses (process-wide XS-Leaks). On the other hand, it would actually make sense to request [InjectionMitigated] for any new API gated behind a permission prompt, since the permission model is relying on XSS not happening on the page that requests it. Of course, whether this is actually doable from a compatibility perspective is a different question :). But at the very least, it means that there should be a lot more APIs for which we can consider requiring [InjectionMitigated] than APIs that require [CrossOriginIsolated].

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/webidl/issues/1440#issuecomment-2401867400
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/webidl/issues/1440/2401867400@github.com>

Received on Wednesday, 9 October 2024 09:55:18 UTC