From: Boris Zbarsky []

> This particular example sets of alarm bells for me because of virtual hosting.

Eek! Yeah, OK, I think it's best I refrain from trying to come up with specific 
examples. Let's forget I said anything...

> As in, this seems like precisely the sort of thing that one browser might
> experiment with, another consider an XSS security bug, and then we have
> content that depends on a particular browser, no?

My argument is that it's not materially different from existing permissions 
APIs. Sometimes the promise is rejected, sometimes it isn't. (Note that either 
outcome could happen without the user ever seeing a prompt.) The code works in 
every browser---some just follow the denied code path, and some follow the 
accepted code path. That's fine: web pages already need to handle that.

Reply via email to