On 12.09.2014 12:22, Anne van Kesteren wrote: > On Fri, Sep 12, 2014 at 11:56 AM, Frederik Braun <fbr...@mozilla.com> wrote: >> Yes and no. I identified this while working on a thesis on the Same >> Origin Policy in 2012 and filed this only for Geolocation in bug >> <https://bugzilla.mozilla.org/show_bug.cgi?id=812147>. >> >> But the general solution might be a permission manager rewrite, I suppose? > > That seems like a good idea. TLS permissions leaking to non-TLS seems > really bad. Cross-port also does not seem ideal. I hope it's not as > bad as cookies in that it also depends on Public Suffix? > > If we rewrite I think it would be good to take top-level browsing > context partitioning under consideration. That is, if I navigate to > https://example/ and grant it the ability to do X. And then navigate > to https://elsewhere.invalid/ which happens to embed https://example/, > the embedded https://example/ does not have the ability to do X. > >
I filed bug <https://bugzilla.mozilla.org/show_bug.cgi?id=1066517> for this. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform