- From: Camille Lamy <notifications@github.com>
- Date: Wed, 09 Oct 2024 02:55:14 -0700
- To: whatwg/webidl <webidl@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 9 October 2024 09:55:18 UTC
@domenic: I think a difference with [CrossOriginIsolated] is that conceptually only two APIs fall into the particular threat model it addresses (process-wide XS-Leaks). On the other hand, it would actually make sense to request [InjectionMitigated] for any new API gated behind a permission prompt, since the permission model is relying on XSS not happening on the page that requests it. Of course, whether this is actually doable from a compatibility perspective is a different question :). But at the very least, it means that there should be a lot more APIs for which we can consider requiring [InjectionMitigated] than APIs that require [CrossOriginIsolated]. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/webidl/issues/1440#issuecomment-2401867400 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/webidl/issues/1440/2401867400@github.com>
Received on Wednesday, 9 October 2024 09:55:18 UTC