- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 03 Mar 2010 16:51:01 -0500
- To: Anne van Kesteren <annevk@opera.com>
- CC: Olli@pettay.fi, www-dom@w3.org
On 3/3/10 4:47 PM, Anne van Kesteren wrote: >> Use case is that XBL2 widget is provided by some other "domain" than >> the page. Especially if the widget is from UA, it needs to be able to >> check if the event is user initiated so that the widget can prevent >> the page to do evil things like unwanted popups. > > That does not seem like a good reason to expose it to Web content as > well. But maybe I'm missing something. Any time you're doing mashups, and any time different parts of the mashup have different permissions (not an issue right now, but will become one with XBL2 and may become one if Brendan does the data-tainting stuff he wants to do in JS) there needs to be a way for script from origin A to not be trickable by events made up by script from origin B. -Boris
Received on Wednesday, 3 March 2010 21:51:37 UTC