- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 25 May 2009 15:01:30 -0700
- To: marcosc@opera.com
- Cc: timeless@gmail.com, public-webapps <public-webapps@w3.org>
On Mon, May 25, 2009 at 2:34 PM, Marcos Caceres <marcosc@opera.com> wrote: > should the following inline resources load? > > <html> > <script src="'http://foo.com"/> </script> > <img src="http://foo.com/image"> > <iframe src="http://bar.com"> I haven't studied the widgets use case in detail, but these sorts of loads usually aren't restricted. If it's find for attacker.com to load these resources, why would it be problematic for widgets to load them? > And what is the origin? The origin is the scheme, host, and port of the document's URL. > I'm not interested in getting bogged down in complex terminology, > fancy pants RFCs, and things that are hard to understand, at this > point. I just want to take the average widget developer (me) point of > view in an effort to understand how it works (or not) in practice. To what practice are you referring? Are there deployed widgets that have already made assumptions about these behaviors? Adam
Received on Monday, 25 May 2009 22:02:30 UTC