On Fri, Sep 12, 2014 at 11:56 AM, Frederik Braun <fbr...@mozilla.com> wrote: > Yes and no. I identified this while working on a thesis on the Same > Origin Policy in 2012 and filed this only for Geolocation in bug > <https://bugzilla.mozilla.org/show_bug.cgi?id=812147>. > > But the general solution might be a permission manager rewrite, I suppose?
That seems like a good idea. TLS permissions leaking to non-TLS seems really bad. Cross-port also does not seem ideal. I hope it's not as bad as cookies in that it also depends on Public Suffix? If we rewrite I think it would be good to take top-level browsing context partitioning under consideration. That is, if I navigate to https://example/ and grant it the ability to do X. And then navigate to https://elsewhere.invalid/ which happens to embed https://example/, the embedded https://example/ does not have the ability to do X. -- http://annevankesteren.nl/ _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform