Re: [cors] Two minor processing issues

On Thu, 04 Aug 2011 14:55:48 +0200, Thomas Roessler <> wrote:
> The other observation would be that this approach permits any web site  
> to serve as a communication channel between arbitrary unique origin  
> contexts, in arbitrary browser instances.  That effect seems contrary to  
> the goal of unique origins to me, which is exactly to limit the  
> communication paths available. This strikes me as a feature that's more  
> likely to show up in obscure attacks (or bugs) than in legitimate code.
> I'd find it more intuitive if a unique origin (at least as currently  
> defined) would lead to a hard failure for now.  There might be more  
> sophisticated things one can do about unique (or perhaps public-key  
> based?) origins in the future, but just using "null" isn't one of them.

Can you make this concern more concrete?

We discussed this before. The use case is a sandboxed widget that uses a  
credentialed search API. Since the search API uses the credentials for  
ordering the results there is not much of an issue.

Anne van Kesteren

Received on Thursday, 4 August 2011 13:30:53 UTC