- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 10 Mar 2011 12:35:28 -0800
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: robert@ocallahan.org, Dimitri Glazkov <dglazkov@chromium.org>, public-webapps <public-webapps@w3.org>
On Thu, Mar 10, 2011 at 11:54 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 3/10/11 4:59 AM, Robert O'Callahan wrote: >> >> On Thu, Mar 10, 2011 at 4:17 PM, Boris Zbarsky <bzbarsky@mit.edu >> <mailto:bzbarsky@mit.edu>> wrote: >> >> 1) Cross-site components are safe to use. >> >> I'm less enthusiastic about #1. In many situations, perhaps most, >> developers can choose to trust a component and host it themselves, and >> there's no problem. Some "widget" use cases can be solved with IFRAMEs >> instead. What use cases for cross-site component loading are left? > > CDNs of various sorts, dedicated hostnames for different sorts of content (a > la existing images.something.com setups), that sort of thing. > > If we want to not allow cross-site loading at all, those cases break. If we > want to allow it, we should try to make it hard to shoot yourself in the > foot by doing it, imo. IMHO, it's important to make cross-site interactions predictable. For example, <script> works well with CDNs but doesn't provide any isolation. Now, you might say that <script> leaves something to be desired w.r.t. security, and I'd certainly agree. :) Adam
Received on Thursday, 10 March 2011 20:36:36 UTC