Thomas Roessler , 2009-04-06 11:19 +0200:
> (The http-wg discussion looked ill-informed; among other things, they didn't
> understand the relationship with CORS.)
I'm not sure if "ill-informed" is the best way to describe it (at
least it's perhaps not the most diplomatic). But along with the
i
On Tue, Apr 7, 2009 at 5:55 PM, Tyler Close wrote:
>> You are proposing a model where there's two types of XHR objects. One
>> where we specifically tell users that you can rely on the request
>> won't be sent cross site, and one where you can't.
>
> I'm proposing that we leave the existing securi
On Tue, Apr 7, 2009 at 5:29 PM, Jonas Sicking wrote:
> On Tue, Apr 7, 2009 at 4:16 PM, Tyler Close wrote:
>> On Tue, Apr 7, 2009 at 3:57 PM, Jonas Sicking wrote:
>>> My point is that having two APIs that are identical and intended to be
>>> used for basically the same thing, except for that they
Hello All,
Last summer Mozilla introduced potential Working Group items, among
which was Content Security Policy. We have done a lot of work refining
this proposal and I would like to re-submit it for comment and critique:
https://wiki.mozilla.org/Security/CSP
https://wiki.mozilla.org/Security/C
On Tue, Apr 7, 2009 at 4:16 PM, Tyler Close wrote:
> On Tue, Apr 7, 2009 at 3:57 PM, Jonas Sicking wrote:
>> My point is that having two APIs that are identical and intended to be
>> used for basically the same thing, except for that they use different
>> security models, is a security bug waitin
On Tue, Apr 7, 2009 at 3:57 PM, Jonas Sicking wrote:
> My point is that having two APIs that are identical and intended to be
> used for basically the same thing, except for that they use different
> security models, is a security bug waiting to happen.
So you do of course realize that this is ex
On Tue, Apr 7, 2009 at 10:38 AM, Tyler Close wrote:
> On Mon, Apr 6, 2009 at 6:31 PM, Jonas Sicking wrote:
>> On Mon, Apr 6, 2009 at 5:36 PM, Tyler Close wrote:
>>> On Mon, Apr 6, 2009 at 5:21 PM, Jonas Sicking wrote:
Additionally, if the attacker can make a GET request happen to
any
On Tue, Apr 7, 2009 at 10:24 AM, Bil Corry wrote:
> How set in stone is Origin within CORS?
I don't think we want to impede CORS with these issues. CORS is quite
close to shipping in a number of implementations. I certainly don't
want to hold it hostage.
> The ideal scenario would be to merge
On Apr 2, 2009, at 6:01 PM, ext Priestley, Mark, VF-Group wrote:
Comments inline.
FWIW my view is that if there is a valid use case for a widget being
able to access information in a signature file, either it should
access
this information using an API or we should add further restrictions t
During the April 2 widgets call, Frederick raised concerns about
synchronizing the Widgets DigSig spec with XML Signatures 1.1 and
Signature properties [1], given the schedule proposed in [2] which
seeks to help align our widgets specs with BONDI's use of those specs
for their 1.0 RC.
Fre
On Mon, Apr 6, 2009 at 6:31 PM, Jonas Sicking wrote:
> On Mon, Apr 6, 2009 at 5:36 PM, Tyler Close wrote:
>> On Mon, Apr 6, 2009 at 5:21 PM, Jonas Sicking wrote:
>>> Additionally, if the attacker can make a GET request happen to
>>> any URI but with a sensitive password added, it is quite likely
Adam Barth wrote on 4/7/2009 11:54 AM:
> On Mon, Apr 6, 2009 at 2:09 PM, Bil Corry wrote:
>> Can we please include the Origin header for all same-origin requests,
>> including GET and HEAD? Or is there a compelling reason why not do to so?
>>
>> Also, would there be value in having Origin sent
On Mon, Apr 6, 2009 at 2:09 PM, Bil Corry wrote:
> Can we please include the Origin header for all same-origin requests,
> including GET and HEAD? Or is there a compelling reason why not do to so?
>
> Also, would there be value in having Origin sent for *all* requests, and if
> populating Origi
On 7 Apr 2009, at 11:51, Robin Berjon wrote:
There are two ends to this spectrum: one is developing a toolbox
technology that can just fit with other technologies, the other is
defining a platform that developers can author content for in a
reliable manner.
I don't have a strong opinion o
On Tue, 07 Apr 2009 01:49:13 +0200, Tyler Close
wrote:
Well, Anne, as I said in the previous paragraph, the one you deleted,
I'm considering an application that does its messaging via
XMLHttpRequest.
Sheesh.
My bad. However, just being able to insert a URI and not do anything else
sounds a
Hi everyone.
The database section of the webstorage specification needs some clarification
in a specific use case.
http://dev.w3.org/html5/webstorage/#sql
Please consider a typical webpage, that on first load, opens a database (using
openDatabase) and then creates a read-only transaction to rea
On Apr 7, 2009, at 12:25 , Marcos Caceres wrote:
On Tue, Apr 7, 2009 at 11:10 AM, Robin Berjon
wrote:
Well, my understanding was that we had to have Web Storage for API
& Events
anyway since that's what implements preferences (and we need to
define how
it's used so that we can get read-only
On Tue, Apr 7, 2009 at 11:10 AM, Robin Berjon wrote:
> On Apr 7, 2009, at 06:37 , Jonas Sicking wrote:
>>
>> On Mon, Apr 6, 2009 at 8:48 AM, Scott Wilson
>> wrote:
>>>
>>> On 6 Apr 2009, at 15:33, Anne van Kesteren wrote:
>>>
You will have this problem regardless of how you solve this issue
On Apr 7, 2009, at 06:37 , Jonas Sicking wrote:
On Mon, Apr 6, 2009 at 8:48 AM, Scott Wilson
wrote:
On 6 Apr 2009, at 15:33, Anne van Kesteren wrote:
You will have this problem regardless of how you solve this issue
if you
do not also require a specific scripting language, markup
language
Thanks for the review of my review
Replies inline
>-Original Message-
>From: timeless.b...@gmail.com [mailto:timeless.b...@gmail.com]
>On Behalf Of timeless
>Sent: 07 April 2009 08:01
>To: Priestley, Mark, VF-Group
>Cc: Arthur Barstow; public-webapps
>Subject: Re: [widgets] New WD of Wi
Mark Priestley wrote:
> Change to:
>
> "Thus in the case that one or more distributor signatures were
surely you mean 'more than one'
> validated, the highest numbered distributor signature would be validated
> first."
do you really mean 'were validated', or do you mean 'are available for
valida
21 matches
Mail list logo
