[Webkit-unassigned] [Bug 16716] XHR Handler may call undefined function
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 3 10:26:45 PST 2008
http://bugs.webkit.org/show_bug.cgi?id=16716
------- Comment #7 from chrisb at adobe.com 2008-01-03 10:26 PDT -------
We changed the xhr code to fire onreadystatechange after the document is
parsing mainly because of a security policy we had to implement. The real
issue for us is that while a document with a "app:" url scheme is being parsed
we allow window.eval to work. After a document with a "app:" url is finished
parsing we then disable window.eval for that document. We do this because we
want to make it harder for an application developer to download data from the
web using xhr and turn it into code that runs at application privilege level.
I do agree that the change probably should remain specific to PLATFORM(APOLLO)
and should probably be tightened further to just documents with an "app:" url
for the reasons given by Maciej.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list