W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: [cors] Two minor processing issues

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 04 Aug 2011 15:30:22 +0200
To: "Thomas Roessler" <tlr@w3.org>
Cc: public-webapps@w3.org, "Philippe De Ryck" <philippe.deryck@cs.kuleuven.be>
Message-ID: <op.vzoygwyb64w2qv@annevk-macbookpro.local>
On Thu, 04 Aug 2011 14:55:48 +0200, Thomas Roessler <tlr@w3.org> wrote:
> The other observation would be that this approach permits any web site  
> to serve as a communication channel between arbitrary unique origin  
> contexts, in arbitrary browser instances.  That effect seems contrary to  
> the goal of unique origins to me, which is exactly to limit the  
> communication paths available. This strikes me as a feature that's more  
> likely to show up in obscure attacks (or bugs) than in legitimate code.
>
> I'd find it more intuitive if a unique origin (at least as currently  
> defined) would lead to a hard failure for now.  There might be more  
> sophisticated things one can do about unique (or perhaps public-key  
> based?) origins in the future, but just using "null" isn't one of them.

Can you make this concern more concrete?

We discussed this before. The use case is a sandboxed widget that uses a  
credentialed search API. Since the search API uses the credentials for  
ordering the results there is not much of an issue.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Thursday, 4 August 2011 13:30:53 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:47 GMT