[whatwg] Caching offline Web applications

Ian Hickson ian at hixie.ch
Tue Oct 21 12:47:43 PDT 2008


On Tue, 21 Oct 2008, Dave Camp wrote:
> On Fri, Oct 17, 2008 at 6:36 PM, Ian Hickson <ian at hixie.ch> wrote:
> > Summary of changes:
> 
> >  * Made application caches scoped to their browsing context, and allowed
> >   iframes to start new scopes. By default the contents of an iframe are
> >   part of the appcache of the parent, but if you declare a manifest, you
> >   get your own cache.
> 
> Should this inheritance be subject to the same origin restriction 
> enforced while selecting a cache during navigation?

The same-origin restriction is intended to prevent people from setting up 
their manifests such that another site will stop being fetched from the 
net. In an iframe, the risk isn't present, since you have to go to the 
evil site in the first place, and it has to explicitly pick the victim 
site in an iframe. Since you can't tell what the URL of the victim iframe 
content is anyway, there's no practical difference between it being on a 
remote site or the same site, as far as i can tell.

No?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list