-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scripting security considerations #64
Comments
Actually, it's a bit more complicated. See: https://github.com/edrlab/r2-streamer-js/blob/develop/docs/origin.md |
Ah yeah you’re right, I forgot to mention the scheme in my initial message for some reason. Sorry. And thanks for the technical recap, it is greatly appreciated. 👍 I quickly checked this morning and a lot of apps using localhost indeed share the same origin. |
Also, since it will be discussed during the next call, I must admit after a lot of checks/tests that it does feel like we could provide guidance for origin – general in R2 repo & “how-to” in test app repos. Mind you, I don’t know the exact reasons why this tends to be an issue in a lot of apps, but it might be that it is quite easy to overlook during app development + it’s more of a web-ish issue as it is primarily related to browsers and JS so you have to know the issue exists in the first place. |
So this is something we very quickly discussed through
localStorage
, and why the origin must be the publication itself – which should be OK if we’re using a localhost, BTW.But, there’s more. Although the EPUB 3.1 spec is D.O.A. and will be replaced with EPUB 3.2 (whatever the name), the security considerations for scripting section will probably be re-used.
Let’s start with DOM Storage, as this is something no Reading System today is doing, at all (excepted through dev tools, when available, which means iBooks and the Readium Cloud Reader).
I can’t tell how it may interact with the General Data Protection Regulation (GDPR) but I guess it’s at least noteworthy. TBH I don’t even know if it interacts with it at all, if the burden is put on authors, etc.
Then
To my knowledge, only iBooks does that when you first open a publication requiring network access/remote resources.
Finally
How to even deal with this?
The text was updated successfully, but these errors were encountered: