Re: HTML spec changes about data: URIs and origins

2016-11-08 Thread smaug 

On 11/07/2016 10:41 PM, smaug wrote:

Just to get some idea how many tests would be broken:
https://treeherder.mozilla.org/#/jobs?repo=try=28735d0f2e5516c5a6d1f7805a065a6edbd8f28b



The results show that quite a few tests need to be fixed, if we want to change 
data: handling.
Should we start doing that? I think we should since eventually we should become 
compatible with other engines.

(I'm still busy fixing browser chrome tests to work with proper Promise 
scheduling, so can't help here quite yet)


-Olli




On 09/13/2016 03:31 PM, Frederik Braun wrote:

Firefox treats iframes pointing to a data URL as same-origin. This is
all well-known, was part of the HTML spec and has been discussed before
[1,2]

What has changed now is the HTML spec text[3]: Given that EdgeHTML,
Webkit and Blink violated this requirement, the standard now turned
around and assigns them a unique opaque origin.
I'll gladly accept the fact that we are not the violator, given the
security implications [1].

The GitHub related issue[4] included a discussion with some of our DOM
folks, but did not come to a conclusion as to what we plan to do here.

Is back compat the main concern? I'd be happy to add a telemetry probe
and a devtools warning if someone is willing to point me in the right
direction.


Thanks,
Freddy


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=255107
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1018872
[3]
https://github.com/whatwg/html/commit/00769464e80149368672b894b50881134da4602f
[4] https://github.com/whatwg/html/issues/1753





___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

W3C Proposed Recommendation: CSP2 (Content Security Policy 2)

2016-11-08 Thread L. David Baron 
A W3C Proposed Recommendation is available for the membership of W3C
(including Mozilla) to vote on, before it proceeds to the final
stage of being a W3C Recomendation:

  Content Security Policy Level 2 (CSP2)
  W3C TR draft: https://www.w3.org/TR/CSP2/
  Editor's draft: https://w3c.github.io/webappsec-csp/
  deadline: Friday, December 9 (23:59 in UTC-05:00)
but that's during the Hawaii all-hands, so I hope to submit
comments by the previous Friday, December 2

If there are comments you think Mozilla should send as part of the
review, or opinions on whether we should vote in support or formally
object to something, please say so in this thread.  (I'd note,
however, that there have been many previous opportunities to make
comments, so it's somewhat bad form to bring up fundamental issues
for the first time at this stage.)

-David

-- 
턞   L. David Baron http://dbaron.org/   턂
턢   Mozilla  https://www.mozilla.org/   턂
 Before I built a wall I'd ask to know
 What I was walling in or walling out,
 And to whom I was like to give offense.
   - Robert Frost, Mending Wall (1914)


signature.asc
Description: PGP signature
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform