On 6/17/13 1:44 PM, Boris Zbarsky wrote:
On 6/17/13 6:05 AM, Simon Pieters wrote:
What's in CSSOM now is "tainting".
Sort of. I think of tainting as "you can write to it but read from
it", but what's in CSSOM is "you can't touch it".
True.
In CSSOM, since writing can have observable effect
On 6/17/13 7:38 AM, Anne van Kesteren wrote:
On Fri, Nov 30, 2012 at 11:47 AM, Boris Zbarsky wrote:
Right. My point was that "cross-origin" for the case of stylesheet at least
in Gecko depends on the origin of the script that tries to modify them, not
on the origin of the document that linked
On 6/17/13 6:05 AM, Simon Pieters wrote:
What's in CSSOM now is "tainting".
Sort of. I think of tainting as "you can write to it but read from it",
but what's in CSSOM is "you can't touch it". I guess the point is that
whether you can touch or not is detected statically at load time?
Ther
On Fri, Nov 30, 2012 at 11:47 AM, Boris Zbarsky wrote:
> Right. My point was that "cross-origin" for the case of stylesheet at least
> in Gecko depends on the origin of the script that tries to modify them, not
> on the origin of the document that linked to them...
Is there a good reason for thi
On 11/30/12 3:13 AM, Boris Zbarsky wrote:
Sure. We don't do any sort of "tainting" either, though; we simply
remember the origin of the CSS (where it was actually loaded from,
post-redirect, not the original URI) and do a same-origin check when
you try to use the CSSOM on it. Note that this ch
On Thu, Nov 29, 2012 at 6:44 PM, Ian Hickson wrote:
> On Thu, 29 Nov 2012, Boris Zbarsky wrote:
>> > Anyway, this is somewhat moot to me because it'll all have to be
>> > defined by whatever spec it is that currently says that a CSS sheet on
>> > http: can't import an image on file:, etc.
>>
>> He
On 11/29/12 9:44 PM, Ian Hickson wrote:
The behaviour called "tainting" in this context in the spec just means
"treat as a cross-origin resource"
Right. My point was that "cross-origin" for the case of stylesheet at
least in Gecko depends on the origin of the script that tries to modify
them
On Thu, 29 Nov 2012, Boris Zbarsky wrote:
> >
> > Anyway, this is somewhat moot to me because it'll all have to be
> > defined by whatever spec it is that currently says that a CSS sheet on
> > http: can't import an image on file:, etc.
>
> Heh. Does it affect things like CSP in any way?
No i
On 11/29/12 5:09 PM, Ian Hickson wrote:
Well, yeah, but the sheet knows which mode it's in, so I don't think that
part of it is a big deal.
Maybe. Problems can arise with a sheet that itself sends CORS headers
but links to sheets that don't and that's tested in a UA that doesn't do
. But OK
On Wed, 28 Nov 2012, Boris Zbarsky wrote:
> On 11/28/12 7:42 PM, Ian Hickson wrote:
> > Done, at least on the HTML side. For now it just makes .sheet return
> > null for cross-origin resources.
>
> Pretty sure that's not web-compatible...
Yeah, I don't expect it is. This stuff is going to change
On 11/28/12 11:03 PM, Boris Zbarsky wrote:
Inheriting the mode isn't so bad, all it really does is decide whether or
not to send an Origin header.
Not quite. It also affects what happens when the server doesn't respond
with an appropriate Allow-Origin.
Oh, I see. You've added this "taint" t
On 11/28/12 7:42 PM, Ian Hickson wrote:
Done, at least on the HTML side. For now it just makes .sheet return null
for cross-origin resources.
Pretty sure that's not web-compatible...
If that's not quite right, please update this
bug with the details:
https://www.w3.org/Bugs/Public/show_b
On Thu, 1 Mar 2012, Robert Kieffer wrote:
>
> For reasons documented in
> https://bugzilla.mozilla.org/show_bug.cgi?id=696301, I�d like to propose
> that support for the �crossorigin� attribute be added to SCRIPT tags.
>
> tl;dr - When applied to window.onerror information, the same-origin
> po
13 matches
Mail list logo