It seems the problem equally affects embedded objects can be loaded from a
different origin as well.
Chris
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert O'Callahan
Sent: Friday, September 26, 2008 3:31 AM
To: Michal Zalewski
Cc: Maciej Stachowiak;
On Thu, 25 Sep 2008, Maciej Stachowiak wrote:
I meant, corner of the container, rather than actual document rendered
within.
Then can't you work around the restriction by scrolling the contents
inside the iframe and sizing it carefully? (One way to scroll an iframe
to a desired position is
On Thu, 25 Sep 2008 22:17:00 +0200, Collin Jackson [EMAIL PROTECTED]
wrote:
6) New cookie attribute: The httpOnly cookie flag allows sites to
put restrictions on how a cookie can be accessed. We could allow a new
flag to be specified in the Set-Cookie header that is designed to
prevent CSRF and
Prohibiting third-party embedded content would disable media embedded in
blogs.
Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Elliotte Harold
Sent: Friday, September 26, 2008 5:21 PM
To: whatwg@lists.whatwg.org
Subject: Re: [whatwg] Dealing with
Kristof Zelechovski wrote:
Prohibiting third-party embedded content would disable media embedded in
blogs.
Absolutely false. The media simply needs to be served from the same host
the blog itself is. This is how almost all the media in my blogs works
today. What little content comes from a
On Fri, 26 Sep 2008, Maciej Stachowiak wrote:
Maybe I didn't read very well, but I don't see how the clause for UI action
optimizations would prevent what I described. Could you spell it out for me
please? It seems to me that the embedded iframes for iGoogle gadgets (or
similar) will indeed
Ozob the Great wrote:
The bandwidth cost of hosting video makes this option unworkable for
some blogs.
And yet someone's hosting that bandwidth today. This need not involve
any net increase in bandwidth. It would just involve a rejiggering of
hosting models.
--
Elliotte Rusty Harold
If a user in America watches a media stream hosted in America but embedded
on a blog page hosted in Europe, the media stream would have to cross the
ocean twice. This is not a trifle.
Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Elliotte Rusty
Michal Zalewski wrote:
I kinda assumed this suggestion was tongue-in-cheek, but if not -
banning cross-domain IFRAMEs to fix one flaw, without providing viable
methods for sandboxing untrusted same-origin content, would leave web
developers with no tools to deal with quite a few classes of
On Sat, Sep 27, 2008 at 9:19 AM, Elliotte Rusty Harold
[EMAIL PROTECTED] wrote:
I do think we have an existence proof that security in this realm is
possible. That's Java. Modulo some outright bugs in VMs (since repaired) the
default Java applet security model has worked and worked well since
On Fri, 26 Sep 2008, Elliotte Rusty Harold wrote:
It's tongue-in-cheek that I don't expect it to be adopted or seriously
considered (this year). It's not tongue-in-cheek in that I very much
wish it were adopted. That is, I think it's in the realm of the
desirable, not the possible.
Oh yup,
Robert O'Callahan wrote:
On Sat, Sep 27, 2008 at 9:19 AM, Elliotte Rusty Harold
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote:
I do think we have an existence proof that security in this realm is
possible. That's Java. Modulo some outright bugs in VMs (since
repaired) the
On Sat, Sep 27, 2008 at 11:55 AM, Elliotte Rusty Harold
[EMAIL PROTECTED] wrote:
As I said, it's an existence proof. Sun's inability to provide decent
developer tools (unlike Adobe) doesn't reflect on the capability of the
model.
That has nothing to do with it.
You're saying Java's
Hi David,
- Original Message -
From: ddailey [EMAIL PROTECTED]
To: Richard's Hotmail [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Sunday, September 21, 2008 10:33 PM
Subject: Re: [whatwg] WebSocket support in HTML5
Hi Richard,
My apologies for getting involved in a topic I confess to
Hi David,
Sorry, forgot to mention a UDP Socket push technology demo, that I'd also
like to be able to achieve with WebSockets rather than Java Applet Sockets.
Please explain how the functionality employed in the following code could
ever be achieved with the proposed WebSockets: -
Hi Rob,
You're saying Java's security model is adequate for what people want to do on
the Web.
I say that is unproven since people are not using Java on the Web.
*Why* they are not using Java on the Web is irrelevant.
I certainly don't know what's on every web-page out there, but when it
On Sat, Sep 27, 2008 at 3:17 PM, Richard's Hotmail [EMAIL PROTECTED]wrote:
https://jdk6.dev.java.net/plugin2/
http://weblogs.java.net/blog/joshy/archive/2008/05/java_doodle_cro.html
We have a W3C spec for the latter called Access Controls, which is a good
deal more secure than Java/Flash's
Robert O'Callahan wrote:
You're saying Java's security model is adequate for what people want to
do on the Web. I say that is unproven since people are not using Java on
the Web. *Why* they are not using Java on the Web is irrelevant.
Java's security model is absolutely adequate for what
18 matches
Mail list logo