W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2008

[whatwg] Caching offline Web applications

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 21 Oct 2008 19:47:43 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0810211945360.1041@hixie.dreamhostps.com>
On Tue, 21 Oct 2008, Dave Camp wrote:
> On Fri, Oct 17, 2008 at 6:36 PM, Ian Hickson <ian at hixie.ch> wrote:
> > Summary of changes:
> 
> >  * Made application caches scoped to their browsing context, and allowed
> >   iframes to start new scopes. By default the contents of an iframe are
> >   part of the appcache of the parent, but if you declare a manifest, you
> >   get your own cache.
> 
> Should this inheritance be subject to the same origin restriction 
> enforced while selecting a cache during navigation?

The same-origin restriction is intended to prevent people from setting up 
their manifests such that another site will stop being fetched from the 
net. In an iframe, the risk isn't present, since you have to go to the 
evil site in the first place, and it has to explicitly pick the victim 
site in an iframe. Since you can't tell what the URL of the victim iframe 
content is anyway, there's no practical difference between it being on a 
remote site or the same site, as far as i can tell.

No?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 21 October 2008 12:47:43 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:06 UTC