From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2001:558:fe21:29:69:252:207:39; helo=resqmta-ch2-07v.sys.comcast.net; envelope-from=eklhad@comcast.net; receiver= Received: from resqmta-ch2-07v.sys.comcast.net (resqmta-ch2-07v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:39]) by hurricane.the-brannons.com (Postfix) with ESMTPS id 3F3567A50C for ; Thu, 10 Aug 2017 02:58:39 -0700 (PDT) Received: from resomta-ch2-15v.sys.comcast.net ([69.252.207.111]) by resqmta-ch2-07v.sys.comcast.net with ESMTP id fkFMdh7tzrUTyfkFMddqzf; Thu, 10 Aug 2017 09:59:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20161114; t=1502359160; bh=IMkQwQQ8r60Ol1SLcGiKYrEJy0tQGZFaRJKuIp9oRlM=; h=Received:Received:To:From:Reply-to:Subject:Date:Message-ID: Mime-Version:Content-Type; b=Y+VSHk4OlP8ETbrNRbD1Ra+S/lsR0UyeUhzgAPMjnlLXStO0sqlqSh5uu9h8PMffF 6+0kAiISJ/OVqvylcRsqKjNr3Ok0Plez0SDWlp4D5MyrIE+EJdcQudZE/RT/UjJ2AK k5JAi6EgXG9A9f8y2j7BHdiVR+MnMIrVHctAsuFpVfX4Wtt1BPUNtgxi2E4famEk/K CsnhKj/viIUoiXeGc+qbPp27/iPrDOCQK8P3yZyPTk0F4LgT4z/YiMlskBY8sKZY4I SjKCxiP3kWyowCB58gETexANxGPxbVfx7aecf0dN0ikWNmeO/c+2AV/f2s2ju8Fwt0 blz5FBxJQD6pg== Received: from unknown ([IPv6:2601:408:c301:784d:21e:4fff:fec2:a0f1]) by resomta-ch2-15v.sys.comcast.net with SMTP id fkFMd96XlsxNefkFMdyqIs; Thu, 10 Aug 2017 09:59:20 +0000 To: Edbrowse-dev@lists.the-brannons.com From: Karl Dahlke Reply-to: Karl Dahlke References: <20170709235748.eklhad@comcast.net> <20170810060945.GA32600@nautica> User-Agent: edbrowse/3.7.0+ Date: Thu, 10 Aug 2017 05:59:20 -0400 Message-ID: <20170710055920.eklhad@comcast.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=nextpart-eb-229742 Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfHSq0ovJjMRcsFsH+f9mMo4c+OKASKqT71HAJQzY00iRilvEYIZ4/DVoAOkbL7XVEmeeloeAy5mmwIvq+pITYdt+aUGxrixu+n2O0AsYnqrvaZxZNHsC 4jR4N646IXgO4k5zpC9L5ZWybbEqHuGnsPbUo9LTSghHz8WO60M8tlIl Subject: [Edbrowse-dev] frames and security X-BeenThere: edbrowse-dev@lists.the-brannons.com X-Mailman-Version: 2.1.24 Precedence: list List-Id: Edbrowse Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Aug 2017 09:58:39 -0000 This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --nextpart-eb-229742 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable > the Content-Security-Policy header. doggies, that's a mess! Not sure if we're ever gonna deal with that. > refuse to load frames if the domain do not match. Well sites pull in frames from all over the internet, lots of youtube = videos for example, and google analytics and so on. I'm sure we need to allow frames from anywhere. > I also think native_fetchHTTP should have some safe guards, I would = just > refuse if the incoming_url site does not match the document site but > this might break things. It might indeed. I wouldn't make that restriction unless (A) a spec = told me to, and (B) other browsers do as well. You can interact with the user from the js process; see the native = prompt and confirm commands. However, the number of features that only work in JS1 is growing, and = will continue to grow. I will probably switch so that one process is default, with $JS2=3Don = forcing edbrowse into 2, and then perhaps jettisoning 2 processes = altogether. I could throw away a lot of lot of code in that event, and clean it up, = and it would be much more readable. Karl Dahlke --nextpart-eb-229742--