On Thu, Jan 7, 2016 at 8:46 PM, Anne van Kesteren <ann...@annevk.nl> wrote:
> At least enforcing CORS-same-origin would be somewhat trivial from a > specification perspective since all fetches go through Fetch. Limiting > plugins and other affected features would be some added conditionals > here and there. I don't see how content changes would have an impact > since you can only change the policy through navigation at which point > you'd have a new global and such anyway. > Some of the things that would need to be handled: -- <input type="file"> controls need to not expose sensitive data about file paths -- For SVG images we disable native themes to avoid those being inspectable by the Web site -- Non-origin-clean canvas images, <video> frames and MediaStream frames would have to be suppressed -- Non-same origin content (<img>, <iframe>, etc) would have to be blocked. This isn't as simple as a change to Fetch, since a site could create an element and load its contents in an unrestricted browsing context and move it into a different document with different rules. -- :visited Rob -- lbir ye,ea yer.tnietoehr rdn rdsme,anea lurpr edna e hnysnenh hhe uresyf toD selthor stor edna siewaoeodm or v sstvr esBa kbvted,t rdsme,aoreseoouoto o l euetiuruewFa kbn e hnystoivateweh uresyf tulsa rehr rdm or rnea lurpr .a war hsrer holsa rodvted,t nenh hneireseoouot.tniesiewaoeivatewt sstvr esn _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
