W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2014

Re: Defining secure-enough origins.

From: Chris Palmer <palmer@google.com>
Date: Mon, 25 Aug 2014 11:27:07 -0700
Message-ID: <CAOuvq20PuRLjOTrKPkAQ8MJ5KD5VicdRXw-D65yqJRLrNzWiLA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Ryan Sleevi <sleevi@google.com>, Anne van Kesteren <annevk@annevk.nl>
On Fri, Aug 22, 2014 at 11:50 AM, Mike West <mkwst@google.com> wrote:

> Hrm. The two have similar properties, and should be treated similarly. More
> to the point: I don't think there's any good justification for allowing
> 'javascript:' resources access to the kinds of APIs that we're talking about
> restricting. I wouldn't be sad if sandboxing them into unique origins
> prevented them from accessing such APIs.

I am inclined to agree.
Received on Monday, 25 August 2014 18:27:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC