On Fri, Mar 11, 2011 at 8:54 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > CDNs of various sorts, dedicated hostnames for different sorts of content > (a la existing images.something.com setups), that sort of thing. > > If we want to not allow cross-site loading at all, those cases break. If we > want to allow it, we should try to make it hard to shoot yourself in the > foot by doing it, imo. > OK, but those are all generally loading from trusted sites, like <script> does. I understand that it would be nice to improve on <script> by protecting against potential compromise of the other site. However, if document authors and component API authors don't think hard about the possibility of their component turning hostile (and I am very confident that they won't!), I fear that the component will be able to wreak havoc in the container via the APIs exposed by the component. For example, if we try to enforce protection via a capability model, it's easy to accidentally leak capabilities through a carelessly designed API. So I'm worried that protecting containers from components will be a burden on the component model that doesn't lead to much practical benefit. But maybe I worry too much :-). Rob -- "Now the Bereans were of more noble character than the Thessalonians, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true." [Acts 17:11]
Received on Thursday, 10 March 2011 21:57:51 UTC