On May 13, 2010, at 6:40 PM, Dirk Pranke wrote:
> On Thu, May 13, 2010 at 6:13 PM, Maciej Stachowiak wrote:
>> ; you're right.
>
>>
>> If you don't run the code in an off-domain iframe or through a sanitizer
>> like Caja, then everything on your site is vulnerable, not just resources
>> prot
On Fri, 14 May 2010 03:40:12 +0200, Dirk Pranke
wrote:
Exactly, so the off-domain IFRAME is the only option here.
is an alternative solution, if
you want everything in the same document.
--
Anne van Kesteren
http://annevankesteren.nl/
On May 14, 2010, at 1:17 AM, Anne van Kesteren wrote:
> On Fri, 14 May 2010 03:40:12 +0200, Dirk Pranke wrote:
>> Exactly, so the off-domain IFRAME is the only option here.
>
> is an alternative solution, if you
> want everything in the same document.
That's right, the new iframe features in
Hi Ben, Vivek, Nathan,
Great thanks for your reviews!
I am forwarding your comments (or pointers to them) to the Bondi ML and the
authors of the API.
I am sorry, but due to time constraints I am not able now to dive deeper into
the comments (although I'd love to :) ).
Thanks,
Marcin
Marcin Han
In that case we could create, say public-script-i18n-coord list, and
move this discussion there. Doug, could you help us with that?
Nebojsa
On Thu, May 13, 2010 at 6:02 PM, Phillips, Addison wrote:
> Our (I18N activity) experience seems to suggest that a dedicated list is more
> useful when a p
On Thu, May 13, 2010 at 7:53 PM, Ian Hickson wrote:
> On Thu, 13 May 2010, Dirk Pranke wrote:
>>
>> The initial, insecure CORS solution is straightforward ... a "gadget"
>> running on My Yahoo! sends an XHR with the users' credentials to
>> "http://finance.yahoo.com/api/v1/my_portfolio"; and gets
On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak wrote:
> OK, so there's two vulnerability scenarios:
Actually, there is at least one other kind of vulnerability in the
CORS design that has not been mentioned by anyone yet and that does
not require XSS or untrusted code.
Before I describe the
Simpler and/or shorter would indeed be good, although it may be too
late.
Jonas, IE Guys (Chris, Adrian, ...) - what is your input on this issue?
-Art Barstow
On May 13, 2010, at 3:39 AM, ext Maciej Stachowiak wrote:
On May 6, 2010, at 5:30 PM, Anne van Kesteren wrote:
Here is a brief pro
On Fri, May 14, 2010 at 10:18 AM, Arthur Barstow wrote:
> Simpler and/or shorter would indeed be good, although it may be too late.
>
> Jonas, IE Guys (Chris, Adrian, ...) - what is your input on this issue?
Like I've said before, I'd be fine with transitioning to new header
names, but it'd requi
On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak wrote:
>
>> On May 13, 2010, at 6:40 PM, Dirk Pranke wrote:
>
>>> On Thu, May 13, 2010 at 6:13 PM, Maciej Stachowiak wrote:
>
>> ; you're right.
>
>>> If you don't run the code in an off-domain iframe or through a sanitizer
>>> like Caja, then ev
On Fri, May 14, 2010 at 1:17 AM, Anne van Kesteren wrote:
> On Fri, 14 May 2010 03:40:12 +0200, Dirk Pranke
> wrote:
>>
>> Exactly, so the off-domain IFRAME is the only option here.
>
> is an alternative solution, if you
> want everything in the same document.
>
HTML 5 to the rescue!
-- Dirk
On Fri, May 14, 2010 at 11:00 AM, Dirk Pranke wrote:
> On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak wrote:
>> There are also more subtle risks to shared secrets. If you are creating your
>> secrets with a bad random number generator, then they will not in fact be
>> unguessable and you have
On Fri, May 14, 2010 at 10:18 AM, Tyler Close wrote:
> On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak wrote:
>> OK, so there's two vulnerability scenarios:
>
> Actually, there is at least one other kind of vulnerability in the
> CORS design that has not been mentioned by anyone yet and that d
On 5/13/10 9:32 PM, Darin Fisher wrote:
Glad to hear that you didn't intend sync access :-)
I have thoughts on Blob and how it should behave (and about the
inheritance relationship between Blob and File), which is why I left the
unfortunate error in the editor's draft for now (commented o
On Fri, May 14, 2010 at 11:27 AM, Dirk Pranke wrote:
> On Fri, May 14, 2010 at 10:18 AM, Tyler Close wrote:
>> On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak wrote:
>>> OK, so there's two vulnerability scenarios:
>>
>> Actually, there is at least one other kind of vulnerability in the
>> COR
On Fri, May 14, 2010 at 12:00 PM, Tyler Close wrote:
> On Fri, May 14, 2010 at 11:27 AM, Dirk Pranke
> wrote:
> > You are correct that it is possible to use CORS unsafely. It is possible
> to use
> > UMP unsafely,
>
> Again, that is broken logic. It is possible to write unsafe code in
> C++, but
On Fri, May 14, 2010 at 12:00 PM, Tyler Close wrote:
> On Fri, May 14, 2010 at 11:27 AM, Dirk Pranke wrote:
>> On Fri, May 14, 2010 at 10:18 AM, Tyler Close wrote:
>>> On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak wrote:
OK, so there's two vulnerability scenarios:
>>>
>>> Actually, th
On Fri, May 14, 2010 at 12:20 PM, Ojan Vafai wrote:
> On Fri, May 14, 2010 at 12:00 PM, Tyler Close wrote:
>>
>> On Fri, May 14, 2010 at 11:27 AM, Dirk Pranke
>> wrote:
>> > You are correct that it is possible to use CORS unsafely. It is possible
>> > to use
>> > UMP unsafely,
>>
>> Again, that
On Fri, May 14, 2010 at 12:27 PM, Tyler Close wrote:
> On Fri, May 14, 2010 at 12:20 PM, Ojan Vafai wrote:
>> On Fri, May 14, 2010 at 12:00 PM, Tyler Close wrote:
>>>
>>> On Fri, May 14, 2010 at 11:27 AM, Dirk Pranke
>>> wrote:
>>> > You are correct that it is possible to use CORS unsafely. It
On Fri, May 14, 2010 at 12:27 PM, Dirk Pranke wrote:
> On Fri, May 14, 2010 at 12:00 PM, Tyler Close wrote:
>> On Fri, May 14, 2010 at 11:27 AM, Dirk Pranke wrote:
>>> On Fri, May 14, 2010 at 10:18 AM, Tyler Close wrote:
On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak wrote:
> OK,
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9738
Summary: Improve IDL documentation
Product: WebAppsWG
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Keywords: editorial
Severity: minor
P
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9739
Summary: Editorial review from timeless on March 24, 2010
Product: WebAppsWG
Version: unspecified
Platform: All
URL: http://krijnhoetmer.nl/irc-logs/webapps/20100324
OS/Version: All
On Fri, May 14, 2010 at 1:44 PM, Tyler Close wrote:
> On Fri, May 14, 2010 at 12:27 PM, Dirk Pranke wrote:
>> On Fri, May 14, 2010 at 12:00 PM, Tyler Close wrote:
>>> On Fri, May 14, 2010 at 11:27 AM, Dirk Pranke wrote:
On Fri, May 14, 2010 at 10:18 AM, Tyler Close
wrote:
> On F
On 5/12/10 4:25 AM, Ashley Sheridan wrote:
On Wed, 2010-05-12 at 00:05 -0400, Biju wrote:
It would be good if we can also get the same at server side when user
upload a file using form with file controls
ie, like the suggestion at https://bugzilla.mozilla.org/show_bug.cgi?id=549253
(it work
24 matches
Mail list logo
