On Fri, Sep 25, 2015 at 9:43 PM, Jeffrey Yasskin <jyasskin@google.com> wrote: > On Fri, Sep 25, 2015 at 11:35 AM, Kis, Zoltan <zoltan.kis@intel.com> > wrote: > >> >> If the browser can restrict writes to own-origin tags, then pages can't >> rewrite a tag with different origin information. >> >> And how the browser would write the tag the first time? >> Do we require that 1. we only write an empty or "same-origin" tag? >> Or could a page 2. write a "cross-origin" or "no-origin" tag against a >> user prompt (powerful feature)? >> > > Writing the initial tag content might not work from the web API; maybe you > need the manufacturer to initialize it with a trusted origin. Even allowing > writes to empty tags diverges from the same-origin policy, and needs buy-in > from the security folks. > > At least we can start with this, and mention in a note (or actually the Security doc) about what are some other possible policies. I will make the necessary changes in the spec and the Security document. Will keep PR #56 open for this (and will change the title). Perhaps we should also update #3 based on this discussion. I would appreciate input from Nathan concerning this discussion. Best regards, Zoltan
Received on Friday, 25 September 2015 19:26:26 UTC