Intent to implement: Support Referrer Policy for

Summary: This implementation adds Referrer Policy support to the

Re: Intent to implement: Support Referrer Policy for

-tag https://searchfox.org/mozilla-central/source/testing/web-platform/meta/referrer-policy/origin/attr-referrer/same-origin/http-http/script-tag On Thu, Nov 1, 2018 at 11:28 AM James Graham wrote: > On 31/10/2018 14:03, Thomas Nguyen wrote: > > Summary: This implementation adds Re

Re: Intent to implement: Support Referrer Policy for

Oh, you are right, sorry that I used confusing words. After implementation, we expect they are all passed as OK, not FAIL. On Thu, Nov 1, 2018 at 12:24 PM James Graham wrote: > On 01/11/2018 11:03, Thomas Nguyen wrote: > > The link > > > https://searchfox.org/mozilla-central/s

Intent to implement and ship: Limit the length of Referer header to 4k

ests: https://github.com/web-platform-tests/wpt/blob/master/referrer-policy/generic/referrer-policy-test-case.sub.js -- Best regards, ========= Thomas Nguyen IRC : tngu...@irc.mozilla.com Slack: tnguyen Email: tngu...@

Re: Intent to implement and ship: Limit the length of Referer header to 4k

Thanks, that's a good point indeed. I prefer adding a console warning in this case. On Tue, Jul 2, 2019 at 9:23 PM Panos Astithas wrote: > On Tue, Jul 2, 2019 at 6:16 AM Thomas Nguyen wrote: > >> DevTools bug: No >> > > Wouldn't it be helpful to indicate su

Intent to prototype: Delegate and restrict permission in third party context

ator.services.mozilla.com/D42958#change-pqamxq3whbwg> Secure contexts: yes. Is this feature enabled by default in sandboxed iframes? Yes -- Best regards, = Thomas

Re: Intent to prototype: Delegate and restrict permission in third party context

On Tuesday, November 26, 2019 at 1:03:01 AM UTC+1, kgil...@mozilla.com wrote: > On Monday, November 25, 2019 at 9:29:10 AM UTC-8, Thomas Nguyen wrote: > > Summary: People don’t have a good understanding of iframes, because > > generally, no UI indicates that iframes are visible on

Re: Intent to prototype: Delegate and restrict permission in third party context

On Tuesday, November 26, 2019 at 1:03:01 AM UTC+1, kgil...@mozilla.com wrote: > On Monday, November 25, 2019 at 9:29:10 AM UTC-8, Thomas Nguyen wrote: > > Summary: People don’t have a good understanding of iframes, because > > generally, no UI indicates that iframes are visible on

Re: Intent to prototype: Delegate and restrict permission in third party context

On Wednesday, November 27, 2019 at 4:55:35 PM UTC+1, s.h...@gmail.com wrote: > How will you leak Geo Location, Camera data, etc, using HTML injecting? I’m > saying the origin is vulnerable to HTML injection, and origin is not > malicious. Thanks, yes, that is a consideration we should care about,

Re: Intent to prototype: Delegate and restrict permission in third party context

On Monday, November 25, 2019 at 10:38:28 PM UTC+1, s.h...@gmail.com wrote: > 1. If a user already gave permission to certain origin (e.g. skype.com), and > that origin had HTML injection, does that mean attacker can now silently > inherit permission from skype.com? > > 2. If so, how can a websit

Re: Intent to prototype: Delegate and restrict permission in third party context

On Wednesday, November 27, 2019 at 7:50:46 PM UTC+1, s.h...@gmail.com wrote: > >Conversely, there would be another attack to link to > >attacker spaces on already-trusted sites (but no top-level) >and get > >silently access too. > That is not silent, because user would have already granted permis