On Wed, Jan 6, 2016 at 9:50 PM, Robert O'Callahan <[email protected]> wrote: > Where would you put that flag?
Simplest would be an HTTP header I suppose. > I think this has basically the same problems: very difficult to specify and > police, and fragile when the content changes. At least enforcing CORS-same-origin would be somewhat trivial from a specification perspective since all fetches go through Fetch. Limiting plugins and other affected features would be some added conditionals here and there. I don't see how content changes would have an impact since you can only change the policy through navigation at which point you'd have a new global and such anyway. -- https://annevankesteren.nl/ _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
