On 14 April 2015 at 22:16, Anne van Kesteren <annevk@annevk.nl> wrote: > None of that should be particularly hard, though I do worry that the > further we get away from Response, the more we might lose sight of > what we are trying to protect and make mistakes. Indeed, the risk of error is definitely a concern. A similar practice (marking things with origins) happens all over the place in media code. It requires discipline, but it isn't especially difficult. I believe that the easiest way to avoid this is to make an attempt to read Response.body raise a SecurityError if the origin is different (in Firefox terms, we would say "if the response principal is not subsumed by the script principal").Received on Wednesday, 15 April 2015 16:45:59 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC