- From: Dave Tapuska <notifications@github.com>
- Date: Fri, 21 Sep 2018 07:40:56 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 21 September 2018 14:41:18 UTC
Re: `postMessage` overrides, WebIDL handles them quite well and it is quite simple to feature detect. Chrome has proceeded already in enabling this in Chrome 70. liveness of `UserActivation` your interpretation is correct. (live on navigator, static on `MessageEvent`) We talked about the attribute name on `MessageEvent` indicating snapshot or something like that but people didn't prefer the extra verboseness. `PostMessageOptions` `targetOrigin` it shouldn't be a surprise it is the most restrictive so it is a good ergonomic change for the web. ie. you need explicitly change to a less restrictive option which then can leak data cross origins. `transfer` We can certainly debate this point but we've merged this change already into the HTML spec and Chrome has this for Chrome 70. dbaron thank you for your comments. Do you have any thought as to the implications that exposing `UserActivation` cross origin has. I believe there are already approaches to get this data in the same origin as per my examples. But the new behaviour is it is exposed to another origin. We restricted this so it was opt in so I think we mitigate any concerns here. But generally one origin shouldn't know that the user is interacting with another origin. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/300#issuecomment-423555607
Received on Friday, 21 September 2018 14:41:18 UTC