On Wed, 2 Feb 2011, Henri Sivonen wrote:
On Feb 2, 2011, at 03:07, Ian Hickson wrote:
I suppose we could make it so that scripts get neutered when the document
that they were first associated with gets unloaded. Would that work?
We did something different.
Proposal #1:
Proposal
On Feb 2, 2011, at 03:07, Ian Hickson wrote:
I suppose we could make it so that scripts get neutered when the document
that they were first associated with gets unloaded. Would that work?
We did something different.
Proposal #1:
Proposal #4 (what Gecko now does):
* If at the time when
On Thu, 9 Sep 2010, Henri Sivonen wrote:
On Sep 9, 2010, at 00:47, Ian Hickson wrote:
On Fri, 3 Sep 2010, Henri Sivonen wrote:
When evaluating a parser-inserted script, there are three potential
script global objects to use:
1) The script global object of the document whose active
On Sep 9, 2010, at 00:47, Ian Hickson wrote:
On Fri, 3 Sep 2010, Henri Sivonen wrote:
When evaluating a parser-inserted script, there are three potential script
global objects to use:
1) The script global object of the document whose active parser the parser
that inserted the script is.
On Tue, 07 Sep 2010 22:57:27 +0200, Adam Barth w...@adambarth.com wrote:
It sounds like CSP is creating sub-origin privileges. Sub-origin
privileges don't really work, so it's unclear to what a sensible
result would be.
This is a problem with your alternative CSP proposal as well, no?
On Wed, Sep 8, 2010 at 2:10 AM, Anne van Kesteren ann...@opera.com wrote:
On Tue, 07 Sep 2010 22:57:27 +0200, Adam Barth w...@adambarth.com wrote:
It sounds like CSP is creating sub-origin privileges. Sub-origin
privileges don't really work, so it's unclear to what a sensible
result would be.
On Wed, 08 Sep 2010 11:20:30 +0200, Adam Barth w...@adambarth.com wrote:
The goal of AllowedScripts is not to limit a privilege to a subset of
an origin. Rather, the goal is to prevent an attacker who can inject
markup into a document from executing script. Put another way, if
you're already
On Wed, Sep 8, 2010 at 2:24 AM, Anne van Kesteren ann...@opera.com wrote:
On Wed, 08 Sep 2010 11:20:30 +0200, Adam Barth w...@adambarth.com wrote:
The goal of AllowedScripts is not to limit a privilege to a subset of
an origin. Rather, the goal is to prevent an attacker who can inject
markup
On Fri, 3 Sep 2010, Henri Sivonen wrote:
When evaluating a parser-inserted script, there are three potential script
global objects to use:
1) The script global object of the document whose active parser the parser
that inserted the script is.
2) The script global object of the document
NOTE! This email contains URLs to pages that crash WebKit on reload, so you
probably shouldn't follow the URLs here in any WebKit-based browser where you
have something important going on in the same renderer process. (In Chrome,
only the isolated content process crashes.)
On Fri, Sep 3, 2010
On Tue, Sep 7, 2010 at 1:40 AM, Henri Sivonen hsivo...@iki.fi wrote:
On Sep 3, 2010, at 20:55, Jonas Sicking wrote:
On Fri, Sep 3, 2010 at 10:47 AM, Adam Barth w...@adambarth.com wrote:
I'm not sure it makes much of a difference from a security point of
view.
Agreed. Pages can only move
When evaluating a parser-inserted script, there are three potential script
global objects to use:
1) The script global object of the document whose active parser the parser
that inserted the script is.
2) The script global object of the document that owned the script element at
the time of
I'm not sure it makes much of a difference from a security point of
view. I suspect WebKit does #3 because it grabs the security context
immediately before executing the script. That actually seems
marginally safer because it means you're unlikely to grab an out-dated
security context.
Adam
On Fri, Sep 3, 2010 at 10:47 AM, Adam Barth w...@adambarth.com wrote:
I'm not sure it makes much of a difference from a security point of
view.
Agreed. Pages can only move elements between pages that are in the
same security context anyway so I can't really think of any attacks
that any of the
On 9/3/10 1:55 PM, Jonas Sicking wrote:
On Fri, Sep 3, 2010 at 10:47 AM, Adam Barthw...@adambarth.com wrote:
I'm not sure it makes much of a difference from a security point of
view.
Agreed. Pages can only move elements between pages that are in the
same security context anyway so I can't
15 matches
Mail list logo