- From: Mark Watson <watsonm@netflix.com>
- Date: Thu, 16 Apr 2015 07:47:02 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Martin Thomson <martin.thomson@gmail.com>, Aaron Colwell <acolwell@google.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Matthew Wolenetz <wolenetz@google.com>, WHATWG <whatwg@whatwg.org>, Domenic Denicola <d@domenic.me>, Ryan Sleevi <sleevi@google.com>, "public-html-media@w3.org" <public-html-media@w3.org>
> On Apr 15, 2015, at 9:37 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > > On Wed, Apr 15, 2015 at 6:45 PM, Martin Thomson > <martin.thomson@gmail.com> wrote: >> I believe that the easiest way to avoid this is to make an attempt to >> read Response.body raise a SecurityError if the origin is different >> (in Firefox terms, we would say "if the response principal is not >> subsumed by the script principal"). > > The proposal is that .body returns an opaque stream object that you > cannot read from, but privileged code can. But yes, same general idea > as the SOP dances elsewhere. > > Having said all this, it has come to my attention that Netflix had a > change of heart Anne, I hope you would concede that this was not simply a 'change of heart'. We created and shared a new technology (kernel encryption) which makes HTTPS viable for us at our scale. We did it much faster than we predicted 6 months ago, not because it was easy but because we put some very talented people on the problem. ... Mark > so maybe we do not want to put effort into this new > Mixed Content API? It could still be useful for > same-scheme-cross-origin-"no-cors" of course, but nobody has asked for > that. > > > -- > https://annevankesteren.nl/
Received on Thursday, 16 April 2015 14:47:31 UTC