- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 6 Feb 2014 18:28:48 +0100
- To: Jeni Tennison <jeni@jenitennison.com>
- Cc: TAG <www-tag@w3.org>
On Wed, Feb 5, 2014 at 6:16 PM, Jeni Tennison <jeni@jenitennison.com> wrote: > Am I reading that correctly? Is that a correct interpretation of what browsers do by default? Testing using the developer tools from Chrome and Firefox following the link in https://bugzilla.mozilla.org/show_bug.cgi?id=968065#c17 the full Bugzilla URL is indeed "leaked" to Google Code. That site meanwhile requests several resources across the origin boundary and also leaks its full URL. I see where you are going with this and indeed, if you have any cross-origin URL within your capability URL you will be leaking your secret all over. -- http://annevankesteren.nl/
Received on Thursday, 6 February 2014 17:29:17 UTC