On Mon, Jun 2, 2014 at 2:48 PM, Boris Zbarsky <bzbar...@mit.edu> wrote:
> On 6/2/14, 5:19 AM, Anne van Kesteren wrote:
>> This is not the case in Chrome and we'd like this to be no
>> longer the case in Gecko.
> Note that it's not clear to me what "we" means in this case.  For example,
> I'm unconvinced we want to change Gecko behavior here.

You're not persuaded by the attack scenario?

>> And then it would only be set for the initial
>> fetch, not after the <iframe> has been navigated.
> More precisely, it would be set for loads due to the iframe's src changing
> but not ones due to link clicks and location changes?
> Or do you really mean only for the initial fetch and not later changes to
> @src?

Actual changes to @src seems fine since they are under the control of
the page. (At least as much as the allowsameorigindataurl attribute.)

>> I'll be updating Fetch shortly with this new policy
> This seems fine, since we want it no matter what; the only disagreement is
> about when that flag should be set, right?

Provided we agree that it is always unset after any redirect, yes.


Reply via email to