W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Sub-origins

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 29 Aug 2013 14:37:35 -0700
Message-ID: <CALx_OUCxqM17_UFT0L4p_qpzLzsaDY8H=W0Ts5bNMXn3UZyCag@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: Brad Hill <hillbrad@gmail.com>, Michal Zalewski <lcamtuf@google.com>, Mike West <mkwst@google.com>, Adam Barth <abarth@google.com>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>
> Perhaps I'm missing something, though. Brad, is this not a concern of
> yours? How would we expect a legacy browser,  for example, to gracefully
> handle a hash origin or http://foo$bar.com origin?

I suspect that being graceful isn't Brad's primary concern: failing open
versus failing to work at all is a more concerning prospect =) Now, I
*think* we have all the key special cases covered, but I wouldn't bet all
my savings on it...

Received on Thursday, 29 August 2013 21:38:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC