- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 18 Sep 2012 00:22:08 +0000 (UTC)
- To: Brian Kardell <bkardell@gmail.com>
- Cc: whatwg@whatwg.org
On Mon, 17 Sep 2012, Brian Kardell wrote: > > Ian, you hit the nail on the head with the text section that raised the > issue but I still am not entirely sure that I understand... Doesn't this > imply that in a case like *.wordpress.com would have a (suggested) limit > of 5mb combined for all of its tons and tons of subdomains (at least > without additional/constant prompting)? It wouldn't be "constant" prompting, but yes, the spec does suggest that if you visit a dozen WordPress-hosted blogs and they all try to load a bunch of content onto your machine, you should probably have to give consent or at least be aware of what's going on. > There are a whole lot of what I would call "common" examples like where > it seems (to me anyway) unintuitive given the regularity with which this > kind of case would happen to think that that is what is actually > proposed. What's the alternative? Allowing any site to overload your machine with infinite amounts of content isn't really a viable solution. > I can understand blocking access to that data pretty easily, but with > postMessage, being in the same top-level domain doesn't even matter so > it seems that one could just as easily "subvert the limit" that way. The difference is that getting a new domain costs money, whereas getting a subdomain does not. So the cost of attacking someone with subdomains is much lower than with domains. > I think it isn't really implemented that way anywhere though, is it? > That is, do browsers really share the limit across subdomains like > that... If they do not, they are likely vulnerable to this kind of griefing. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 18 September 2012 00:22:35 UTC