On 4/1/15 12:50 PM, Domenic Denicola wrote:
Do you think it's acceptable for browser to experiment with e.g. auto-granting permission if the requested remoteAddress is equal to the IP address of the origin executing the API?
This particular example sets of alarm bells for me because of virtual hosting. As in, this seems like precisely the sort of thing that one browser might experiment with, another consider an XSS security bug, and then we have content that depends on a particular browser, no?