Anne van Kesteren
Anne van Kesteren
https://github.com/WebAssembly/spec/pull/1080 would fix this.
In https://github.com/WebAssembly/design/pull/991 there was a decision that `application/wasm;` has to reject. There are tests for this in Gecko, but I'm not sure if there are web-platform-tests as well. Fetch changed...
Even if you can prevent deserialization, how do you prevent handing a reference to a same-site cross-origin frame? I worked through a whole [SameOrigin] IDL attribute for serializable objects until...
Well, but what scenarios are you really breaking if they can hand over the module without using the serialization infrastructure?
I'm not sure how that answers my question? Let me ask another question, what would the new checks be? Would they match the PR I referenced above?
It might, or it might keep people sharing it directly. They have no reason to use `postMessage()` for the scenario under discussion, which is why I'm not really convinced it's...
That's my bad on the imprecise language, I did indeed mean serialized, not transferred (or shared in the memory sense).
There's other issues that follow from this as well, such as whether ```js new RTCPeerConnection({ iceServers: [{ urls:[] }] }); ``` ought to throw. It does in Firefox, but not...
Thanks! Not sure how I missed that. So I guess this comes down to: 1. How to parse and process those URLs given that browsers aim to implement https://url.spec.whatwg.org/, not...
@alvestrand you'll get a path given how these URLs look. (That's also the case with RFC3986 btw, see https://datatracker.ietf.org/doc/html/rfc3986#section-3.) I tried to spell out in https://github.com/w3c/webrtc-pc/pull/2694#discussion_r741251135 in some detail how...