On Thu, Sep 10, 2009 at 3:11 PM, Darin Fisher <[email protected]> wrote: > Yeah, whatever problems we have with view-net-internal, we must have with > view-cache. Before making a change, we should understand why view-cache > hasn't been a problem. Or, has it?
It's not as concrete as having a vulnerability or not. Every time we add a new scheme, we increase the attack surface and add complexity to our security logic. For example, chrome: has the noAccess bit set, which mitigates XSS on chrome: pages. I suspect we didn't remember to set the noAccess bit on view-net-internal. Of course we could enable that particular mitigation in this particular case, but it's a parade of paper cuts. Unless there's a tangible benefit to using a new scheme, it's probably not worth the cost. Adam --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
