- From: Chris Palmer <palmer@google.com>
- Date: Fri, 27 Jun 2014 17:02:53 -0700
- To: Michal Zalewski <lcamtuf@coredump.cx>
- Cc: Alex Russell <slightlyoff@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, dev-security@lists.mozilla.org
On Fri, Jun 27, 2014 at 4:56 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote: > A special problem here is also how to scope the permission if ever > granted by the user. A permission granted to > file:///installed_app/bar.html probably shouldn't carry over to > file:///some/random/downloaded/thing.html. Right. Permissions are (I hope always) granted and persisted per origin; and, in Chrome at least, each file pathname is a distinct origin. >> Right. mkwst, others, and tangentially me are working on tightening it >> up for reasons like this. >> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0214.html > > Yeah, I was following this pretty closely, but didn't think it's > aiming to restrict the ability for file:/// to, say, load scripts from > http://bad.idea.com/nooo.js? I think you are right about that.
Received on Saturday, 28 June 2014 00:03:20 UTC