- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 16 Apr 2015 06:37:30 +0200
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Aaron Colwell <acolwell@google.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Matthew Wolenetz <wolenetz@google.com>, WHATWG <whatwg@whatwg.org>, Domenic Denicola <d@domenic.me>, Ryan Sleevi <sleevi@google.com>, "public-html-media@w3.org" <public-html-media@w3.org>
On Wed, Apr 15, 2015 at 6:45 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > I believe that the easiest way to avoid this is to make an attempt to > read Response.body raise a SecurityError if the origin is different > (in Firefox terms, we would say "if the response principal is not > subsumed by the script principal"). The proposal is that .body returns an opaque stream object that you cannot read from, but privileged code can. But yes, same general idea as the SOP dances elsewhere. Having said all this, it has come to my attention that Netflix had a change of heart so maybe we do not want to put effort into this new Mixed Content API? It could still be useful for same-scheme-cross-origin-"no-cors" of course, but nobody has asked for that. -- https://annevankesteren.nl/
Received on Thursday, 16 April 2015 04:38:16 UTC