| 01:11 | <duryodhan> | hi folks .. where do I report possible errors in the HTML5 spec. Its a trivial but important bug: the Fetch algorithm http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#fetch doesn't actually check the same-origin flag. It only does so after a redirect. |
| 01:12 | <duryodhan> | Is Hixie the right person to ping about this? |
| 01:13 | <annevk> | origin is checked before the request is made |
| 01:13 | <annevk> | before fetch is invoked, that is |
| 01:18 | <annevk> | duryodhan: ^^ |
| 01:18 | <duryodhan> | annevk: can't find that check at http://www.whatwg.org/specs/web-apps/current-work/multipage/workers.html#dom-workerglobalscope-location |
| 01:19 | <duryodhan> | it just seems like a better idea to do the check inside the fetch url .. what does it even mean to do a cross origin fetch with same-origin flag set? If it redirects to the same domain it will be disallowed ? |
| 01:21 | <annevk> | duryodhan: http://www.whatwg.org/specs/web-apps/current-work/multipage/workers.html#dom-worker |
| 01:22 | <annevk> | duryodhan: I'm not sure that you can ever get into that situation, but maybe the spec should indeed point that out |
| 01:23 | <duryodhan> | annevk: ohh yeah .. noticed. |
| 01:23 | <duryodhan> | yeah to me it seems like unnecessary to require all calls to fetch to do teh same origin check themselves |
| 01:24 | <annevk> | I don't think all calls do such a check |
| 01:24 | <annevk> | but maybe now with CORS that changed |
| 01:24 | <annevk> | at some point CORS/fetch needs to merged |
| 01:24 | <annevk> | but we're gonna wait with that |
| 01:33 | annevk | wonders where myakura is |
| 01:34 | annevk | thinks myakura should deal with http://lists.w3.org/Archives/Public/public-webapps/2011OctDec/1209.html :p |
| 10:49 | <ashaw> | hey, I was wondering if there was a way of telling a web browser to not allow any external embedding of javascript in a document and to dissbale eval? |
| 10:51 | <ashaw> | because as far as I can see there is not, and this would be a useful security feature for the web |
| 11:05 | <bga_> | ashaw http://www.w3schools.com/html5/att_iframe_sandbox.asp |
| 11:06 | <ashaw> | but can I do it outside of an iframe |
| 11:07 | <bga_> | => wrap all page into iframe |
| 11:08 | <ashaw> | That is kind of useless |
| 11:09 | <ashaw> | and will cause useability problems with, giving the most basic example, and iphone |
| 11:09 | <bga_> | sec |
| 11:10 | <ashaw> | Also I want to load scripts, but only thoes originally embeded in the html of the page, no other scripts |
| 11:11 | <ashaw> | so above also does not do what I want |
| 11:12 | <bga_> | ashaw you can use dommutation events, catch any attemp to add <script> and dont allow set src |
| 11:12 | <ashaw> | and how do you deal with eval? |
| 11:12 | <bga_> | by replacing src attibute and setAttribute fn |
| 11:13 | <bga_> | oh eval |
| 11:13 | <bga_> | ashaw user still can use cross origin XHR and eval/Fn, ok |
| 11:14 | <bga_> | but you can wrap XHR too :) |
| 11:14 | <ashaw> | yeah, but this is now becoming complex and vunerable to bugs |
| 11:15 | <ashaw> | and what if they then do and overwride your handler |
| 11:16 | Philip` | thought mutation events were generally agreed to be evil and never to be used |
| 11:17 | <Philip`> | ashaw: Maybe you want something a bit like https://developer.mozilla.org/en/Security/CSP ? |
| 11:20 | <bga_> | ashaw dont forget that user can download resource via <img> & canvas, <link>, <object> and <embed> |
| 11:21 | <ashaw> | I was about to mention them |
| 11:21 | <ashaw> | That CSP stuff seems good |
| 11:23 | <ashaw> | but only firefox? |
| 11:24 | <ashaw> | does webkit, IE, opera offer anything similar? |
| 11:28 | <ashaw> | so webkit is impelmenting support |
| 11:32 | <bga_> | https://docs.google.com/present/view?id=dz4jvnj_54hrjnwpdc&pli=1 |
| 11:41 | <ashaw> | cool, but not quite applicable |
| 11:43 | <bga_> | i like typesafe router |
| 11:48 | <ashaw> | So do I |