Re: [whatwg] Fetch, MSE, and MIX

> On Apr 15, 2015, at 9:37 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>
> On Wed, Apr 15, 2015 at 6:45 PM, Martin Thomson
> <martin.thomson@gmail.com> wrote:
>> I believe that the easiest way to avoid this is to make an attempt to
>> read Response.body raise a SecurityError if the origin is different
>> (in Firefox terms, we would say "if the response principal is not
>> subsumed by the script principal").
>
> The proposal is that .body returns an opaque stream object that you
> cannot read from, but privileged code can. But yes, same general idea
> as the SOP dances elsewhere.
>
> Having said all this, it has come to my attention that Netflix had a
> change of heart

Anne,

I hope you would concede that this was not simply a 'change of heart'.
We created and shared a new technology (kernel
encryption) which makes HTTPS viable for us at our scale. We did it
much faster than we predicted 6 months ago, not because it was easy
but because we put some very talented people on the problem.

... Mark

> so maybe we do not want to put effort into this new
> Mixed Content API? It could still be useful for
> same-scheme-cross-origin-"no-cors" of course, but nobody has asked for
> that.
>
>
> --
> https://annevankesteren.nl/

Received on Thursday, 16 April 2015 14:47:31 UTC