[whatwg] Background Geolocation for Progressive Web-Apps

2016-12-01 Thread Richard Maher
Cor, steady on Hixie, it wasn’t me yelling that “WHATWG is broken”. All I’m trying to do is get someone (not me) to start development on a solution for background geolocation in HTML5 Web Apps. Sorry if my post was in/pas apropos. > all that matters is the quality of arguments and data

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-01 Thread Richard Maher
I see what you're saying Michael and also agree it's serious. Would I be correct in thinking that MS Edge solves the problem by not returning window.opener cross-domain? Is the UA not a logical and uniform place for this? BTW I've also experienced the CitHub topic-closure nazis many times :-(

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-01 Thread Michael A. Peters
If window.opener() did not work cross-domain then as far as I can tell that would be secure. On 12/01/2016 07:23 PM, Richard Maher wrote: I see what you're saying Michael and also agree it's serious. Would I be correct in thinking that MS Edge solves the problem by not returning window.opener

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-01 Thread Michael A. Peters
Well if it was done as a header, I suppose it could be added as a http-equiv meta tag for those who want to. Header is the easiest solution to make sure it is applied everywhere without question. It could even be added at the front-end proxy to cover numerous web applications on many domains

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-01 Thread Michael A. Peters
On 12/01/2016 06:14 PM, Elliott Sprehn wrote: On Wed, Nov 30, 2016 at 10:53 PM, Boris Zbarsky wrote: On 12/1/16 1:41 AM, Chris Holland wrote: I think the devil would be in implementation detail. Slapping a "rel/noopener" attribute on a specific link is very deterministic

Re: [whatwg] Background Geolocation for Progressive Web-Apps

2016-12-01 Thread Richard Maher
On Fri, Dec 2, 2016 at 9:41 AM, Karl Dubost wrote: > > Le 2 déc. 2016 à 08:53, Richard Maher a écrit : > > The main goal of background geolocation reporting > > Previous related threads: > https://groups.google.com/forum/#!topic/mozilla.dev. >

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-01 Thread Elliott Sprehn
On Wed, Nov 30, 2016 at 10:53 PM, Boris Zbarsky wrote: > On 12/1/16 1:41 AM, Chris Holland wrote: > >> I think the devil would be in implementation detail. Slapping a >> "rel/noopener" attribute on a specific link is very deterministic and >> straightforward from a logic

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-01 Thread Domenic Denicola
From: whatwg [mailto:whatwg-boun...@lists.whatwg.org] On Behalf Of Ian Hickson > I believe that's a bit of an overstatement. There are certainly risks > involved in window.opener (they're briefly discussed in the spec itself), but > it doesn't remove the origin checks. This is the crucial

Re: [whatwg] Background Geolocation for Progressive Web-Apps

2016-12-01 Thread Karl Dubost
Le 2 déc. 2016 à 08:53, Richard Maher a écrit : > The main goal of background geolocation reporting Previous related threads: https://groups.google.com/forum/#!topic/mozilla.dev.geolocation/D5UXf-N3JfU

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-01 Thread Zac Spitzer
how about rather than requiring this on every why not support a base tag directive for the whole document i.e. , similar to ? On Fri, Dec 2, 2016 at 12:39 PM, Domenic Denicola wrote: > From: whatwg [mailto:whatwg-boun...@lists.whatwg.org] On Behalf Of Ian > Hickson > > > I

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-01 Thread Domenic Denicola
From: Zac Spitzer [mailto:zac.spit...@gmail.com] > how about rather than requiring this on every why not support a base tag > directive  for the whole document i.e. , similar to > ? Yes, this is a good idea to include in a general framework for imposing such

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-01 Thread Michael A. Peters
On 12/01/2016 05:39 PM, Domenic Denicola wrote: From: whatwg [mailto:whatwg-boun...@lists.whatwg.org] On Behalf Of Ian Hickson I believe that's a bit of an overstatement. There are certainly risks involved in window.opener (they're briefly discussed in the spec itself), but it doesn't remove

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-01 Thread Richard Maher
Thanks Michael. So to be safe one should use Edge? Who'd have thunk it? Anyone tested Michael's example on FireFox or Safari? It does look like Chrome is the driver of rel=noopener. Does the credential API https://w3c.github.io/webappsec-credential-management/ rely on this flaw? On Fri, Dec 2,