On 9/29/17 3:32 PM, Kris Maglione wrote:
For instance, the following should all capture the
caller principal for the `src` URL at call time:
document.write(`<img src="http://example.com/favicon.ico";>`);
div.innerHTML = `<img src="http://example.com/favicon.ico";>`;
img.setAttribute("src", "http://example.com/favicon.ico";);
img.src = "http://example.com/favicon.ico";;
What is the plan to do this, concretely? Changing img.src to thread
through a principal is not too bad but doing it for setAttribute would
be a bit of a performance annoyance, and threading them through the
parser would be _quite_ annoying.
The other option is to basically use something like SubjectPrincipal(),
but we're trying to remove existing uses of that, because the
action-at-a-distance makes it hard to reason about its security properties.
-Boris
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
