On Wed, Jul 3, 2013 at 8:08 AM, Benjamin Smedberg <benja...@smedbergs.us>wrote:
> We do not want >> >> url = new URL(rel, base) >> >> to differ across engines for any rel or base >> > > I don't understand why it matters. chrome: and resource: are both > gecko-specific extensions and we have no desire to standardize them. > Chromium uses a different scheme for their chrome: protocol. > > Web content typically is not allowed to link or load chrome resources, > although there is an ancient exception for chrome://global that was > included for remote XUL and may not be necessary any more. But I don't > think we should either try to standardize these protocols, nor should we > try to change URL parsing behavior depending on whether we're chrome or > content. > Is there ever a reason for content to do |new URL(foo)| for some resource:// or chrome:// foo? If so, why can't we just check the subject principal in the constructor and forbid it? Seems like good defense-in-depth to me. bholley _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
