Hi @diekus – Thanks for sending us this. Briefly, we're concerned about the way that this proposal changes the same-origin model, which is a fundamental part of the security apparatus of the web. Hence we think we need to tread very carefully. We think the explainer should be very explicit about what the expanded scope does and does not allow access to. We'd also like to see some specific use cases and discussion of abuse cases (and how those abuse cases are mitigated). E.g. if you are tricked into visiting or downloading a malicious app that is spoofing your bank, and it includes your bank's origin in its scope_extensions field, are there additional exploits that the malicious party could exploit (e.g. obtaining credentials or capturing links)? Are there any implications for access to local storage from different origins? -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/875#issuecomment-1709547082 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/875/1709547082@github.com>
Received on Thursday, 7 September 2023 06:26:28 UTC