On Monday 28 September 2015 11:20:47 Alex Russell wrote: > Extension APIs are, by definition, outside SOP; not only do they break SOP > they exist primarily to subvert it (e.g., content scripts). > > This is basic stuff. It's hard to have a conversation about such a > complicated area without shared understanding of the basics. True, so help us understand! As this is basics and misunderstanding, can you detail or provide a link to an explanation why the SOP is designated to work against the client providing some local resources? If I want to protect data on the server, I can understand your interpretation. Because if I have a server-centric view, of course, localhost is my enemy capable of injecting malicious things into the scripts. But if I have a user- agent centric view, I may trust stuff on my operating system more than stuff coming over the network, origin or not. And I may trust an origin sufficiently to make stuff available to it. But "break" the SOP by allowing access to local stuff from a script coming from the same known origin? What about local storage and SOP? The sqlite is running on localhost. Breaks the SOP? I think the basics are much less clear than some believe they are. But in one's belief, those are always clear. I stepped over that stone many times. --Rigo
Received on Monday, 28 September 2015 21:56:12 UTC