- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 2 Jun 2014 15:00:38 +0200
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: WHATWG <whatwg@lists.whatwg.org>
On Mon, Jun 2, 2014 at 2:48 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 6/2/14, 5:19 AM, Anne van Kesteren wrote: >> This is not the case in Chrome and we'd like this to be no >> longer the case in Gecko. > > Note that it's not clear to me what "we" means in this case. For example, > I'm unconvinced we want to change Gecko behavior here. You're not persuaded by the attack scenario? >> And then it would only be set for the initial >> fetch, not after the <iframe> has been navigated. > > More precisely, it would be set for loads due to the iframe's src changing > but not ones due to link clicks and location changes? > > Or do you really mean only for the initial fetch and not later changes to > @src? Actual changes to @src seems fine since they are under the control of the page. (At least as much as the allowsameorigindataurl attribute.) >> I'll be updating Fetch shortly with this new policy > > This seems fine, since we want it no matter what; the only disagreement is > about when that flag should be set, right? Provided we agree that it is always unset after any redirect, yes. -- http://annevankesteren.nl/
Received on Monday, 2 June 2014 13:01:03 UTC