W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [whatwg] Fetch, MSE, and MIX

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 21 Apr 2015 09:53:10 -0700
Message-ID: <CADnb78hjbiZ=drPm=aSNesriG_BwFUW=HsSFoDzY7BxWpWADjg@mail.gmail.com>
To: "Jerry Smith (WINDOWS)" <jdsmith@microsoft.com>
Cc: Ryan Sleevi <sleevi@google.com>, Henri Sivonen <hsivonen@hsivonen.fi>, Mark Watson <watsonm@netflix.com>, Martin Thomson <martin.thomson@gmail.com>, Aaron Colwell <acolwell@google.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Matthew Wolenetz <wolenetz@google.com>, WHATWG <whatwg@whatwg.org>, Domenic Denicola <d@domenic.me>, "public-html-media@w3.org" <public-html-media@w3.org>
On Mon, Apr 20, 2015 at 11:16 AM, Jerry Smith (WINDOWS)
<jdsmith@microsoft.com> wrote:
> Has a mechanism been proposed that would block UAs from returning parsed
> data like this?  In the EME spec, UAs are required now to treat initiData as
> untrusted.  In this mixed content case with opaque data, are we extending
> this to mean that opaque initData parsed in trusted code must be kept opaque
> as far as the JS app is concerned?  Do we agree that is necessary?

Yes. We should not break SOP
https://annevankesteren.nl/2015/02/same-origin-policy any further.

Received on Tuesday, 21 April 2015 16:53:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC