- From: Arun Ranganathan <arun@mozilla.com>
- Date: Wed, 17 Jul 2013 11:01:55 -0400
- To: Aymeric Vitte <vitteaymeric@gmail.com>
- Cc: "public-webcrypto@w3.org Group (public-webcrypto@w3.org)" <public-webcrypto@w3.org>, GALINDO Virginie <Virginie.GALINDO@gemalto.com>
On Jul 17, 2013, at 5:41 AM, Aymeric Vitte wrote: > Did you see the remark too for https (get src)? Maybe you can dare putting something like an eval too after thre code retrieval mentioning that's it's not necessarly unsafe or evil, so we know what happens with the code. I think I took care of your push to "use https" from the CDN example. "eval" is probably fine in some circumstances, but so's JSON.parse. > I would find more logical to use the json object instead of the stringified one, since the stringification is used to pass the object via xhr or other, not to handle it in js code. > I'm actually not strongly opinionated on this one. The last discussion thread on this was: http://lists.w3.org/Archives/Public/public-webcrypto/2013Jul/0032.html Seems like Ryan agrees with you. -- A*
Received on Wednesday, 17 July 2013 15:02:48 UTC