On Fri, Sep 25, 2015 at 12:25 PM, Kis, Zoltan <zoltan.kis@intel.com> wrote: > > > On Fri, Sep 25, 2015 at 9:43 PM, Jeffrey Yasskin <jyasskin@google.com> > wrote: > >> On Fri, Sep 25, 2015 at 11:35 AM, Kis, Zoltan <zoltan.kis@intel.com> >> wrote: >> >>> >>> If the browser can restrict writes to own-origin tags, then pages can't >>> rewrite a tag with different origin information. >>> >>> And how the browser would write the tag the first time? >>> Do we require that 1. we only write an empty or "same-origin" tag? >>> Or could a page 2. write a "cross-origin" or "no-origin" tag against a >>> user prompt (powerful feature)? >>> >> >> Writing the initial tag content might not work from the web API; maybe >> you need the manufacturer to initialize it with a trusted origin. Even >> allowing writes to empty tags diverges from the same-origin policy, and >> needs buy-in from the security folks. >> >> > At least we can start with this, and mention in a note (or actually the > Security doc) about what are some other possible policies. > I will make the necessary changes in the spec and the Security document. > Will keep PR #56 open for this (and will change the title). > Perhaps we should also update #3 based on this discussion. > Re #56, it'd be good to merge the grammatical and phrasing fixes in a separate PR from the semantics changes around removing the notion of trusted integrity content. That'll help reviewers focus on the right part. Jeffrey
Received on Friday, 25 September 2015 19:34:21 UTC