Re: Sub-origins from Michal Zalewski on 2013-08-29 (public-webappsec@w3.org from August 2013)

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 29 Aug 2013 14:37:35 -0700
To: Joel Weinberger <jww@chromium.org>
Cc: Brad Hill <hillbrad@gmail.com>, Michal Zalewski <lcamtuf@google.com>, Mike West <mkwst@google.com>, Adam Barth <abarth@google.com>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>
Message-ID: <CALx_OUCxqM17_UFT0L4p_qpzLzsaDY8H=W0Ts5bNMXn3UZyCag@mail.gmail.com>

>
> Perhaps I'm missing something, though. Brad, is this not a concern of
> yours? How would we expect a legacy browser,  for example, to gracefully
> handle a hash origin or http://foo$bar.com origin?
>

I suspect that being graceful isn't Brad's primary concern: failing open
versus failing to work at all is a more concerning prospect =) Now, I
*think* we have all the key special cases covered, but I wouldn't bet all
my savings on it...

/mz

Received on Thursday, 29 August 2013 21:38:23 UTC