On 11/30/12 3:13 AM, Boris Zbarsky wrote:
Sure. We don't do any sort of tainting either, though; we simply
remember the origin of the CSS (where it was actually loaded from,
post-redirect, not the original URI) and do a same-origin check when
you try to use the CSSOM on it. Note that this
On Fri, Nov 30, 2012 at 11:47 AM, Boris Zbarsky bzbar...@mit.edu wrote:
Right. My point was that cross-origin for the case of stylesheet at least
in Gecko depends on the origin of the script that tries to modify them, not
on the origin of the document that linked to them...
Is there a good
On 6/17/13 6:05 AM, Simon Pieters wrote:
What's in CSSOM now is tainting.
Sort of. I think of tainting as you can write to it but read from it,
but what's in CSSOM is you can't touch it. I guess the point is that
whether you can touch or not is detected statically at load time?
There
On 6/17/13 7:38 AM, Anne van Kesteren wrote:
On Fri, Nov 30, 2012 at 11:47 AM, Boris Zbarsky bzbar...@mit.edu wrote:
Right. My point was that cross-origin for the case of stylesheet at least
in Gecko depends on the origin of the script that tries to modify them, not
on the origin of the
On 6/17/13 1:44 PM, Boris Zbarsky wrote:
On 6/17/13 6:05 AM, Simon Pieters wrote:
What's in CSSOM now is tainting.
Sort of. I think of tainting as you can write to it but read from
it, but what's in CSSOM is you can't touch it.
True.
In CSSOM, since writing can have observable effects
On Thu, Nov 29, 2012 at 6:44 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 29 Nov 2012, Boris Zbarsky wrote:
Anyway, this is somewhat moot to me because it'll all have to be
defined by whatever spec it is that currently says that a CSS sheet on
http: can't import an image on file:, etc.
On Wed, 28 Nov 2012, Boris Zbarsky wrote:
On 11/28/12 7:42 PM, Ian Hickson wrote:
Done, at least on the HTML side. For now it just makes .sheet return
null for cross-origin resources.
Pretty sure that's not web-compatible...
Yeah, I don't expect it is. This stuff is going to change as
On 11/29/12 5:09 PM, Ian Hickson wrote:
Well, yeah, but the sheet knows which mode it's in, so I don't think that
part of it is a big deal.
Maybe. Problems can arise with a sheet that itself sends CORS headers
but links to sheets that don't and that's tested in a UA that doesn't do
link
On Thu, 29 Nov 2012, Boris Zbarsky wrote:
Anyway, this is somewhat moot to me because it'll all have to be
defined by whatever spec it is that currently says that a CSS sheet on
http: can't import an image on file:, etc.
Heh. Does it affect things like CSP in any way?
No idea.
On 11/29/12 9:44 PM, Ian Hickson wrote:
The behaviour called tainting in this context in the spec just means
treat as a cross-origin resource
Right. My point was that cross-origin for the case of stylesheet at
least in Gecko depends on the origin of the script that tries to modify
them, not
On Thu, 1 Mar 2012, Robert Kieffer wrote:
For reasons documented in
https://bugzilla.mozilla.org/show_bug.cgi?id=696301, I�d like to propose
that support for the �crossorigin� attribute be added to SCRIPT tags.
tl;dr - When applied to window.onerror information, the same-origin
policy
On 11/28/12 7:42 PM, Ian Hickson wrote:
Done, at least on the HTML side. For now it just makes .sheet return null
for cross-origin resources.
Pretty sure that's not web-compatible...
If that's not quite right, please update this
bug with the details:
On 11/28/12 11:03 PM, Boris Zbarsky wrote:
Inheriting the mode isn't so bad, all it really does is decide whether or
not to send an Origin header.
Not quite. It also affects what happens when the server doesn't respond
with an appropriate Allow-Origin.
Oh, I see. You've added this taint
13 matches
Mail list logo