- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 10 May 2017 18:32:09 +0200
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Mike West <mkwst@google.com>, James Kettle <james.kettle@portswigger.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, May 10, 2017 at 5:42 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > Yes, we do rely on it right now. We rely on a form of CSRF tokens to protect > the requests so that evil.com can't make the request; while any XSS on the > page can't affect the main origin. > > My point is that the vulnerability that null allows is the same in impact as > the websites that just blindly reflect an origin. None of the proposals for > that are talking about breaking existing apps and I think we should follow > the same principle here. Since breaking Dropbox doesn't really seem like an option, write a PR against Fetch to remove the issue marker? Not much point in having it there if it can't be implemented. -- https://annevankesteren.nl/
Received on Wednesday, 10 May 2017 16:32:40 UTC