- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 04 Aug 2011 15:30:22 +0200
- To: "Thomas Roessler" <tlr@w3.org>
- Cc: public-webapps@w3.org, "Philippe De Ryck" <philippe.deryck@cs.kuleuven.be>
On Thu, 04 Aug 2011 14:55:48 +0200, Thomas Roessler <tlr@w3.org> wrote: > The other observation would be that this approach permits any web site > to serve as a communication channel between arbitrary unique origin > contexts, in arbitrary browser instances. That effect seems contrary to > the goal of unique origins to me, which is exactly to limit the > communication paths available. This strikes me as a feature that's more > likely to show up in obscure attacks (or bugs) than in legitimate code. > > I'd find it more intuitive if a unique origin (at least as currently > defined) would lead to a hard failure for now. There might be more > sophisticated things one can do about unique (or perhaps public-key > based?) origins in the future, but just using "null" isn't one of them. Can you make this concern more concrete? We discussed this before. The use case is a sandboxed widget that uses a credentialed search API. Since the search API uses the credentials for ordering the results there is not much of an issue. -- Anne van Kesteren http://annevankesteren.nl/
Received on Thursday, 4 August 2011 13:30:53 UTC