Scripting security considerations #64
Comments
Actually, it's a bit more complicated. See: https://github.com/edrlab/r2-streamer-js/blob/develop/docs/origin.md |
|
Ah yeah you’re right, I forgot to mention the scheme in my initial message for some reason. Sorry. And thanks for the technical recap, it is greatly appreciated. 👍 I quickly checked this morning and a lot of apps using localhost indeed share the same origin. |
|
Also, since it will be discussed during the next call, I must admit after a lot of checks/tests that it does feel like we could provide guidance for origin – general in R2 repo & “how-to” in test app repos. Mind you, I don’t know the exact reasons why this tends to be an issue in a lot of apps, but it might be that it is quite easy to overlook during app development + it’s more of a web-ish issue as it is primarily related to browsers and JS so you have to know the issue exists in the first place. |
So this is something we very quickly discussed through
localStorage, and why the origin must be the publication itself – which should be OK if we’re using a localhost, BTW.But, there’s more. Although the EPUB 3.1 spec is D.O.A. and will be replaced with EPUB 3.2 (whatever the name), the security considerations for scripting section will probably be re-used.
Let’s start with DOM Storage, as this is something no Reading System today is doing, at all (excepted through dev tools, when available, which means iBooks and the Readium Cloud Reader).
I can’t tell how it may interact with the General Data Protection Regulation (GDPR) but I guess it’s at least noteworthy. TBH I don’t even know if it interacts with it at all, if the burden is put on authors, etc.
Then
To my knowledge, only iBooks does that when you first open a publication requiring network access/remote resources.
Finally
How to even deal with this?
The text was updated successfully, but these errors were encountered: