On Fri, May 30, 2014 at 5:40 PM, Jeffrey Walton noloa...@gmail.com wrote:
Are there any platforms providing the feature? Has the feature gained
any traction among the platform vendors?
The webapps platform that we use in FirefoxOS and Firefox Desktop
allows any website to be an app store. I
On Fri, May 30, 2014 at 2:07 AM, Jonas Sicking jo...@sicking.cc wrote:
On Thu, May 29, 2014 at 9:21 AM, Anne van Kesteren ann...@annevk.nl wrote:
Given that workers execute script in a fairly contained way, it might be
okay?
Worker scripts aren't going to be very contained as we add more
How big of a problem is it that we're making link as dangerous as
script? HTML imports can point to any origin which then will be able
to execute scripts with the authority of same-origin.
--
http://annevankesteren.nl/
On 02/06/14 11:06, Jonas Sicking wrote:
On Fri, May 30, 2014 at 5:40 PM, Jeffrey Walton noloa...@gmail.com wrote:
Are there any platforms providing the feature? Has the feature gained
any traction among the platform vendors?
The webapps platform that we use in FirefoxOS and Firefox Desktop
On Thu, May 29, 2014 at 4:25 PM, Takeshi Yoshino tyosh...@google.com wrote:
http://fetch.spec.whatwg.org/#dom-request
Add steps to set client and context?
That happens as part of the restricted copy. However, that might
still change around a bit.
I fail to understand why work on this API has been suspended. HTML5,
JavaScript and CSS together are becoming a natural platform of choice on
which to write portable applications. Indeed, I have just started work on
just such a project, welcoming the chance it gives to break away from
proprietary
So long as they're handled with the same policy and restrictions as the
script tag, it shouldn't be any worse.
On Jun 2, 2014 2:35 AM, Anne van Kesteren ann...@annevk.nl wrote:
How big of a problem is it that we're making link as dangerous as
script? HTML imports can point to any origin which
On Mon, Jun 2, 2014 at 2:54 PM, James M Snell jasn...@gmail.com wrote:
So long as they're handled with the same policy and restrictions as the
script tag, it shouldn't be any worse.
Well, script is assumed to be unsafe, link is not (at least not to
the same extent).
--
On 6/2/14, 8:54 AM, James M Snell wrote:
So long as they're handled with the same policy and restrictions as the
script tag, it shouldn't be any worse.
It's worse for sites that have some sort of filtering on user-provided
content but don't catch this case right now, no?
-Boris
Yup, like I said, it shouldn't be any worse. From what I've seen with
chrome, at the very least, import links are handled with the same CSP as
script tags. Which is certainly a good thing. I suppose that If you needed
the ability to sandbox them further, just wrap them inside a sandboxed
iframe.
Yes, that's true. Content filters are likely to miss the links themselves.
Hopefully, the imported documents themselves get filtered, but there's no
guarantee. One assumption we can possibly make is that any implementation
that knows how to follow import links ought to know that they need to be
On 6/2/14, 9:22 AM, James M Snell wrote:
Yes, that's true. Content filters are likely to miss the links
themselves. Hopefully, the imported documents themselves get filtered
By what, exactly? I mean, CSP will apply to them, but not website
content filters...
One assumption we can possibly
Im not saying it's perfect. Not by any stretch. I'm saying it shouldn't be
worse. Any impl that supports the mechanism will need to be aware of the
risk and content filters will need to evolve. Perhaps an additional
strongly worded warning in the spec would be helpful.
On Jun 2, 2014 6:43 AM,
On 6/2/14, 9:54 AM, James M Snell wrote:
Im not saying it's perfect. Not by any stretch. I'm saying it shouldn't
be worse.
I don't understand why you think it's not worse.
and content filters will need to evolve.
And until they do, we may have vulnerable pages, right? How is that not
On Jun 1, 2014, at 1:22 PM, Julian Ladbury
julian.ladb...@berrick-computing.co.uk wrote:
I fail to understand why work on this API has been suspended.
Just to be clear, by “this API” I think you mean:
http://dev.w3.org/2009/dap/file-system/file-writer.html
HTML5, JavaScript and CSS
We will be having our second Web Components telcon tomorrow (June 3).
If you'd like to suggest specific agenda items, please reply to this
mail.
Potential agenda items:
* Understanding Shadow DOM theming problem, brainstorming primitives,
maybe even filing bugs (who knows!).
* Reduce the
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25914
Arun a...@mozilla.com changed:
What|Removed |Added
Status|REOPENED|RESOLVED
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25915
Arun a...@mozilla.com changed:
What|Removed |Added
Status|REOPENED|RESOLVED
On 02/06/2014 15:01, Boris Zbarsky wrote:
On 6/2/14, 8:54 AM, James M Snell wrote:
So long as they're handled with the same policy and restrictions as the
script tag, it shouldn't be any worse.
It's worse for sites that have some sort of filtering on user-provided
content but don't catch
On Mon, Jun 2, 2014 at 2:06 AM, Jonas Sicking jo...@sicking.cc wrote:
On Fri, May 30, 2014 at 5:40 PM, Jeffrey Walton noloa...@gmail.com
wrote:
Are there any platforms providing the feature? Has the feature gained
any traction among the platform vendors?
The webapps platform that we use
On 6/2/14, 4:21 PM, Giorgio Maone wrote:
I do hope any filter already blocked out link elements, as CSS has
been a XSS vector for a long time
link elements without stylesheet in rel don't load CSS, though.
Hence the worries about blacklist vs whitelist...
-Boris
From: Robin Berjon [mailto:ro...@w3.org]
I think we agree at the high level but might disagree over smaller details.
You
seem to want something that would roughly resemble the
following:
BeforeSelectionChange
{
direction: forward
, step: word
}
whereas I would see
Great context. Thanks! Let me ask my question another way- should
CompositionEvents be used when there isn't a composition? Should typing 'a'
fire CompositionEnd? If not we still need a CommandEvent of type insertText,
and it seems inconsistent not to fire it for all typing, doesn't it?
From:
Some initial informal testing shows that import links do make it through
the filters I have readily handy. It was quick work to write up some custom
filters, however.
On Jun 2, 2014 1:52 PM, Boris Zbarsky bzbar...@mit.edu wrote:
On 6/2/14, 4:21 PM, Giorgio Maone wrote:
I do hope any filter
As with any new feature, there's the risk of introducing new security bugs
on applications that otherwise wouldn't have them. The usual argument goes
as follows:
Browser vendors have a lot of undocumented functionality, and it would be
foolish to create a blacklist approach on content filtering,
On 6/2/14, 11:17 PM, Eduardo' Vela Nava wrote:
Now, I'm not sure how many have tried to implement an HTML sanitizers.
I've reviewed Gecko's implementation of one, if that counts...
1. You have to write a parser OR You have to use a third-party parser.
Wasn't an issue for us obviously.
26 matches
Mail list logo
