- From: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
- Date: Wed, 03 Aug 2011 11:07:05 +0200
- To: public-html-comments@w3.org
- Cc: Giles Hogben <Giles.Hogben@enisa.europa.eu>, Lieven Desmet <Lieven.Desmet@cs.kuleuven.be>
On Tue, 2011-08-02 at 19:04 +0000, Ian Hickson wrote: > On Mon, 1 Aug 2011, Philippe De Ryck wrote: > > > > If two browsing contexts X and Y create a messaging channel using ports, > > no origin guarantees about the sender or receiver of the messages can be > > given. This is in contrast with the 'Cross-document Messaging' > > mechanism, where each message has a source and destination origin. > > This is intentional. The security model here is a capabilities model, > where vending a MessagePort inherently grants a right. Exposing an origin > would actually undermine this, preventing capabilities from being > furthered to other origins. The intention of message channels being used in a capabilities model is not at all clear from the spec. Seeing it in this light, I have two additional comments: 1. It might be useful to mention this in the spec, so that this mechanism is used as intended (instead of just as an easy way to use two-way communication). Additionally, mention the consequences that this can have (i.e. the granted right can be passed along) 2. I understand that in a capabilities model, the target origin cannot be specified. I don't think that this holds for the source origin, so is there a specific reason to not include the source origin in the message (even though the attribute is available)? -- Philippe De Ryck K.U.Leuven, Dept. of Computer Science Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Received on Wednesday, 3 August 2011 09:20:30 UTC