W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Sub-origins

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 29 Aug 2013 14:37:35 -0700
Message-ID: <CALx_OUCxqM17_UFT0L4p_qpzLzsaDY8H=W0Ts5bNMXn3UZyCag@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: Brad Hill <hillbrad@gmail.com>, Michal Zalewski <lcamtuf@google.com>, Mike West <mkwst@google.com>, Adam Barth <abarth@google.com>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>
>
> Perhaps I'm missing something, though. Brad, is this not a concern of
> yours? How would we expect a legacy browser,  for example, to gracefully
> handle a hash origin or http://foo$bar.com origin?
>

I suspect that being graceful isn't Brad's primary concern: failing open
versus failing to work at all is a more concerning prospect =) Now, I
*think* we have all the key special cases covered, but I wouldn't bet all
my savings on it...

/mz
Received on Thursday, 29 August 2013 21:38:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC