- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Mon, 05 Jan 2015 07:39:10 -0500
- To: public-webappsec@w3.org
On 1/5/15 6:26 AM, Tim Berners-Lee wrote: > - The first is necessary to access arbitrary open data out there on the web. The problem is that it's somewhat common for pages to use dynamic script loaders which fetch script data via XMLHttpRequest and then execute it. > If the data is intercepted the user's map will lie to them but the interceptor is not able to take immediate control of the app. True, but if a script being loaded by a script loader is intercepted then the interceptor does in fact take immediate control of the app. And the browser has no way to really tell these cases apart at the moment. Resolving this problem is a must if we want to consider allowing XHR to http:// URLs from https:// contexts. It may be viable to have a way to opt in to such XHRs explicitly on a per-load basis, with it being somehow clear that the page is expected to not trigger any script execution based on the returned data... -Boris
Received on Monday, 5 January 2015 12:39:41 UTC