[whatwg] Need to define same-origin policy for WebIDL operations/getters/setters
Boris Zbarsky
bzbarsky at MIT.EDU
Wed Jan 9 14:24:34 PST 2013
On 1/9/13 5:19 PM, Adam Barth wrote:
> Those checks are neither required for compatibility nor security. The
> spec might say to perform the checks, but they aren't needed to build
> a secure, compatible browser.
OK. So what checks do you believe are required, then? Just effective
script origin checks on Window?
I would really appreciate it if you would actually describe the security
model you think the spec should have instead of us having to guess what
parts you think are needed and which parts you think are not needed,
with more gotchas and details all the time.
-Boris
More information about the whatwg
mailing list