- From: Marcos Caceres <marcosc@opera.com>
- Date: Mon, 09 Nov 2009 11:01:24 +0100
- To: "SULLIVAN, BRYAN L (ATTCINW)" <BS3131@att.com>
- CC: WebApps WG <public-webapps@w3.org>
SULLIVAN, BRYAN L (ATTCINW) wrote: > Hi Marcos, > > To be clear, your answer addresses point (2) only, and while I realize that the idea proposed may not apply to all valid start files, it nonetheless did address the point of the comment. It may not be the best solution but it is just a start on one, I hope. > > I still think we should recognize and somehow address the significant limitations of blanket handling of all external references ala "In the default policy, a user agent must deny access to network resources external to the widget by default, whether this access is requested through APIs (e.g. XMLHttpRequest) or through markup (e.g. iframe, script, img)." > > I think this will have a significant impact on the functionality of web applications that should be able to access wide sources of media content, but want to be more selective on sources of scripts. Although I understand the rationale, I'm personally not in favor of trying to deviate too much from the Web security model. This proposal seems to make more work for authors rather than providing security enhancements. It also makes more work for implementers in that they need to change the security model of the browsers on which widget engines run. Kind regards, Marcos
Received on Monday, 9 November 2009 10:26:23 UTC