W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [whatwg] Fetch, MSE, and MIX

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 16 Apr 2015 06:37:30 +0200
Message-ID: <CADnb78gUQb8NN95X2YpxJG69w43bJr_j8hy5VxkGXyfYF_BE1A@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Domenic Denicola <d@domenic.me>, Matthew Wolenetz <wolenetz@google.com>, Aaron Colwell <acolwell@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, WHATWG <whatwg@whatwg.org>, Brad Hill <hillbrad@gmail.com>, Ryan Sleevi <sleevi@google.com>, "public-html-media@w3.org" <public-html-media@w3.org>
On Wed, Apr 15, 2015 at 6:45 PM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> I believe that the easiest way to avoid this is to make an attempt to
> read Response.body raise a SecurityError if the origin is different
> (in Firefox terms, we would say "if the response principal is not
> subsumed by the script principal").

The proposal is that .body returns an opaque stream object that you
cannot read from, but privileged code can. But yes, same general idea
as the SOP dances elsewhere.

Having said all this, it has come to my attention that Netflix had a
change of heart so maybe we do not want to put effort into this new
Mixed Content API? It could still be useful for
same-scheme-cross-origin-"no-cors" of course, but nobody has asked for

Received on Thursday, 16 April 2015 04:38:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC