Status

()

enhancement
P5
normal
3 years ago
3 years ago

People

(Reporter: mmitar, Unassigned)

Tracking

42 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog])

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421

Steps to reproduce:

I wanted to use sub-origins (https://metromoxie.github.io/webappsec/specs/suborigins/).


Actual results:

They did not work.


Expected results:

They should work.

Changes to API needed to make it work:

* Suborgin header to specify a page's entry into a suborigin
* Access-Control-Allow-Suborigin response header
* New event.suborigin field

Public standards discussion: https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0127.html
Editor's draft of spec: https://metromoxie.github.io/webappsec/specs/suborigins/

Chromium issue: https://code.google.com/p/chromium/issues/detail?id=555117
Myk where should this live? core:dom apps?
Flags: needinfo?(myk)
(In reply to Kevin Brosnan [:kbrosnan] from comment #1)
> Myk where should this live? core:dom apps?

I think this actually belongs in Core::DOM: Security, the Bugzilla home of the Content Security module <https://wiki.mozilla.org/Modules/All#Content_Security>, which is responsible for "Native content-based security features, including: Content Security Policy (CSP), Mixed Content Blocker (MCB), Subresource Integrity (SRI) and CORS."
Component: Untriaged → DOM: Security
Flags: needinfo?(myk)
Product: Firefox → Core
(In reply to Mitar from comment #0)
> I wanted to use sub-origins
> (https://metromoxie.github.io/webappsec/specs/suborigins/).
> 
> Actual results:
> They did not work.

That is not an adopted spec and Mozilla has not decided whether we will implement it or not. Even if we do there are problems in the spec that will have to be addressed (such as the serialization format).
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Whiteboard: [domsecurity-backlog]
You need to log in before you can comment on or make changes to this bug.