[EMAIL PROTECTED] wrote: > So there are two different access checking modes based on the stack: > loading, where only the top principal is used as subject principal; > executing (either from an inline script, or from a button onclick > handler, or from an a href="javascript:..." link click). I will work to > separate the two modes. Our code today uses only the top principal in > both modes, but we believe this is unsound.
Unsound in the second (execution after load completes) mode, I mean. /be _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
