- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 20 Mar 2014 18:34:30 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Ian Hickson <ian@hixie.ch>, Arun Ranganathan <arun@mozilla.com>, Travis Leithead <travis.leithead@microsoft.com>, public-webapps <public-webapps@w3.org>
On Wed, Mar 19, 2014 at 8:05 AM, Anne van Kesteren <annevk@annevk.nl> wrote: >> This is because we have been bit several times by having code from >> security context A (in our case code from chrome://) receive a URL >> from code from security context B. A would then load that URL. This >> way B can trick A into creating content that B controls, but that runs >> with As privileges. >> >> I'd love it if the web also had such an opt-in flag, but I don't know >> how possible that is to create. > > We could have an attribute on the various loading contexts, no? We could. Would love to see proposals for that. Right now the specification for origin handling is fiction and as far as I know there is no proposal that all involved parties agree to. An important question is if we can fix data:'s origin handling, without making it complicated enough that we don't want to use it for anything else. / Jonas
Received on Friday, 21 March 2014 01:35:32 UTC