| 07:19 | <paritosh-in> | Ms2ger: can I do git rebase -i? |
| 07:24 | <Ms2ger> | paritosh-in, yep |
| 13:21 | <annevk> | Ms2ger: I guess we can move the XML5 thing if Servo is actually committing |
| 13:21 | <annevk> | Ms2ger: well, and I guess we should discuss with the main maintainer, wouldn't want any disagreement |
| 13:57 | <annevk> | Krinkle_: that you can figure out things a bit for <img> (which is more related to decoding than HTTP state afaik) shouldn't mean that you can figure it out generically |
| 14:08 | <Krinkle> | annevk: yeah, I guess if we coudl go back and change it, we'd remove that exposure from Image as well |
| 14:11 | <annevk> | oh yes |
| 14:11 | <annevk> | CORS all the things |
| 14:14 | <Krinkle> | annevk: I forgot the use I wanted it for -_- |
| 14:14 | <Krinkle> | but now I can only think of anti-use cases |
| 14:14 | <Krinkle> | e.g. rest APIs that communitate success with http status code |
| 14:14 | <Krinkle> | and try different urls until you get it right |
| 14:15 | <Krinkle> | I guess that's still do-able with Image or just server-side … |
| 14:15 | <Krinkle> | unless the attack relies on it re-using the session but then 1) don't use session cookies in your api, 2) fetch() doesn't send cookies for forgeign domains |
| 15:23 | <annevk> | fetch() can send cookies |
| 18:26 | <TabAtkins> | annevk: If you start doing anything for XML5, please also talk with Dominic Cooney from our side. |