[whatwg] Location object identity and navigation behavior
Ian Hickson
ian at hixie.ch
Mon Jan 7 20:05:31 PST 2013
On Mon, 7 Jan 2013, Bobby Holley wrote:
>
> Aside from concerns about stack introspection, the main downside of this
> approach is that it's a blacklist, rather than a whitelist (like our
> other security code), so we'll have to be extra careful when
> implementing anything new on Location. Please keep that in mind when
> updating the spec. ;-)
Can you elaborate on what is a blacklist?
The way it ended up in the spec is that everything on Location is blocked
if it's a cross-origin access, except for the 'href' setter and 'replace'.
This is an area that I've already screwed up the security model for twice,
though, so I would have no trouble believing I screwed it up again...
http://whatwg.org/html#security-3
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list