On Mon, 5 Mar 2018, Dominique Martinet wrote:
Karl Dahlke wrote on Mon, Mar 05, 2018:
He writes a web page with javascript that does an xhr request to
zipxd://foo.zip@:@top
I think it's a matter of priority, but now we have javascript working a
bit better we might soon find time to make it more restricted somehow.
I still think allowing any site to do xhr requests anywhere is not
something we will want.
I completely agree. For a long time we've been in a pocket. It didn't
matter that much because we didn't have a lot of pages that were getting
all the way through the several steps of retrieving responseText, going to
a callback, processing the content, and innerHTML side effects take it
back to EBML. (!) It's very exciting that we started to get this, so
congratulations, our prize for breaking through is a new tier of robust
worries..
I could write the same-origin restriction into javascript. Not that this
covers it entirely, but at least the default would be strict and we would
block some opportunists. Suppose I have just loaded abc.com, and I
instantiate a new XHRHttpRequest object. I try to retrieve a page from
def.com. Should I intercept this in javascript before it gets to
fetchHTTP, and fail silently? Or throw something?
I started writing a mail about this ages ago (August last year!) and it
_______________________________________________
Edbrowse-dev mailing list
[email protected]
http://lists.the-brannons.com/mailman/listinfo/edbrowse-dev
