On Wed, Apr 15, 2015 at 6:45 PM, Martin Thomson
<martin.thom...@gmail.com> wrote:
> I believe that the easiest way to avoid this is to make an attempt to
> read Response.body raise a SecurityError if the origin is different
> (in Firefox terms, we would say "if the response principal is not
> subsumed by the script principal").

The proposal is that .body returns an opaque stream object that you
cannot read from, but privileged code can. But yes, same general idea
as the SOP dances elsewhere.

Having said all this, it has come to my attention that Netflix had a
change of heart so maybe we do not want to put effort into this new
Mixed Content API? It could still be useful for
same-scheme-cross-origin-"no-cors" of course, but nobody has asked for
that.


-- 
https://annevankesteren.nl/

Reply via email to