On 2014-09-12, 6:22 AM, Anne van Kesteren wrote:
On Fri, Sep 12, 2014 at 11:56 AM, Frederik Braun <fbr...@mozilla.com> wrote:
Yes and no. I identified this while working on a thesis on the Same
Origin Policy in 2012 and filed this only for Geolocation in bug
<https://bugzilla.mozilla.org/show_bug.cgi?id=812147>.
But the general solution might be a permission manager rewrite, I suppose?
That seems like a good idea. TLS permissions leaking to non-TLS seems
really bad. Cross-port also does not seem ideal. I hope it's not as
bad as cookies in that it also depends on Public Suffix?
The permission manager was originally used to store the permission of
websites who are allowed to set third-party cookies if you turn on that
pref, and it's not used for storing the cookies themselves. As such, it
is fortunately oblivious to the Public Suffix List.
If we rewrite I think it would be good to take top-level browsing
context partitioning under consideration. That is, if I navigate to
https://example/ and grant it the ability to do X. And then navigate
to https://elsewhere.invalid/ which happens to embed https://example/,
the embedded https://example/ does not have the ability to do X.
The permission manager itself is unaware of browsing contexts, it is the
consumer which decides how to query it.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
