- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Fri, 27 Jun 2014 16:56:12 -0700
- To: Chris Palmer <palmer@google.com>
- Cc: Alex Russell <slightlyoff@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, dev-security@lists.mozilla.org
>> I think the inclusion of file:/// is somewhat problematic, since it is >> not implied that the content arrived over a secure channel, > > Right. "But it's here now." Perhaps we should take file: off the list, > perhaps we should find some way to tag files as having come from > secure transport, or... A special problem here is also how to scope the permission if ever granted by the user. A permission granted to file:///installed_app/bar.html probably shouldn't carry over to file:///some/random/downloaded/thing.html. > Right. mkwst, others, and tangentially me are working on tightening it > up for reasons like this. > http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0214.html Yeah, I was following this pretty closely, but didn't think it's aiming to restrict the ability for file:/// to, say, load scripts from http://bad.idea.com/nooo.js? /mz
Received on Friday, 27 June 2014 23:56:59 UTC