- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 8 Jan 2013 04:05:31 +0000 (UTC)
- To: Bobby Holley <bobbyholley@gmail.com>
- Cc: whatwg <whatwg@lists.whatwg.org>
On Mon, 7 Jan 2013, Bobby Holley wrote: > > Aside from concerns about stack introspection, the main downside of this > approach is that it's a blacklist, rather than a whitelist (like our > other security code), so we'll have to be extra careful when > implementing anything new on Location. Please keep that in mind when > updating the spec. ;-) Can you elaborate on what is a blacklist? The way it ended up in the spec is that everything on Location is blocked if it's a cross-origin access, except for the 'href' setter and 'replace'. This is an area that I've already screwed up the security model for twice, though, so I would have no trouble believing I screwed it up again... http://whatwg.org/html#security-3 -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 8 January 2013 04:05:53 UTC