- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 1 May 2013 14:24:39 +1000
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Webapps WG <public-webapps@w3.org>
On 01/05/2013, at 2:20 PM, Jonas Sicking <jonas@sicking.cc> wrote: > The current AppCache spec suffers from this too, but only once users > go offline. I.e. I can use FALLBACK to take over > http://users.example.edu/~alice/ using a resource from from > http://users.example.edu/~bob/newalice.html > > But that only works when the user is offline, which limits the damage a little. Yeah, I noticed that too; like you say, it's pretty limited. I did some quick testing and couldn't get current implementations to do it (I think because either they haven't completely implemented fallback, or I wasn't properly triggering it). > The only solution that I can see to this problem is requiring that > manifests, or navigationcontroller-scripts are only allowed to "take > over" URLs that are "below" them. I.e. > http://users.example.edu/~bob/manifest.json could only control > navigations to URLs with the prefix "http://users.example.edu/~bob/". > You could still redirect resource loading in more flexible ways, but > maybe top-level page loads needs to have this restriction. Possibly. I'm still a bit wary of that; there are some *weird* CMSs out that that hide lots of things behind opaque, unstructured URLs. Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Wednesday, 1 May 2013 04:25:05 UTC