On Mon, Jun 2, 2014 at 2:48 PM, Boris Zbarsky <bzbar...@mit.edu> wrote: > On 6/2/14, 5:19 AM, Anne van Kesteren wrote: >> This is not the case in Chrome and we'd like this to be no >> longer the case in Gecko. > > Note that it's not clear to me what "we" means in this case. For example, > I'm unconvinced we want to change Gecko behavior here.
You're not persuaded by the attack scenario? >> And then it would only be set for the initial >> fetch, not after the <iframe> has been navigated. > > More precisely, it would be set for loads due to the iframe's src changing > but not ones due to link clicks and location changes? > > Or do you really mean only for the initial fetch and not later changes to > @src? Actual changes to @src seems fine since they are under the control of the page. (At least as much as the allowsameorigindataurl attribute.) >> I'll be updating Fetch shortly with this new policy > > This seems fine, since we want it no matter what; the only disagreement is > about when that flag should be set, right? Provided we agree that it is always unset after any redirect, yes. -- http://annevankesteren.nl/