Re: [w3ctag/design-reviews] TAG review for web app `scope_extensions` (Issue #875) from Daniel Appelquist on 2024-03-13 (public-webapps-github@w3.org from March 2024)

From: Daniel Appelquist <notifications@github.com>
Date: Wed, 13 Mar 2024 01:54:49 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/875/1993851650@github.com>

Hi @LuHuangMSFT - just coming back to this now. I think the risk is not necessarily that https://siteb.com can spoof https://sitea.com, but rather than since https://sitea.com can serve content from https://siteb.com *as if it comes from https://sitea.com* that content from https://siteb.com can therefore completely hijack https://sitea.com without the user's knowledge.  So if that understanding is correct then that breaks the security guarantee for web content.  The proposal would need to mitigate against this risk in some way way - for example, scoping this very tightly so that it cannot be abused in this way.  We also think the spec needs a [privacy review](https://github.com/w3cping/privacy-request/issues/new/choose) and we would suggest that you request that separately.  Also, as Sangwhan mentioned, we remain concerned about the uniqueness of the identifier.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/875#issuecomment-1993851650
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/875/1993851650@github.com>

Received on Wednesday, 13 March 2024 08:54:53 UTC