- From: Charles McCathie Nevile <chaals@yandex-team.ru>
- Date: Fri, 21 Jun 2013 10:02:48 +0200
- To: "Anne van Kesteren" <annevk@annevk.nl>
- Cc: "Marcos Caceres" <mcaceres@mozilla.com>, "WebApps WG" <public-webapps@w3.org>
On Fri, 21 Jun 2013 09:15:30 +0200, Anne van Kesteren <annevk@annevk.nl>
wrote:
> On Wed, Jun 19, 2013 at 7:39 PM, Charles McCathie Nevile
> <chaals@yandex-team.ru> wrote:
>> One of the scenarios I have in mind is where a few apps from an origin
>> use some common stuff. Which is obviously increasing the attack surface
>> in the way that you mention, but if the same people are forced to use
>> different origins for stuff that is copy-pasted across then I am not
>> sure we are really exposing anything new except a requirement to buy
>> more domains...
>
> Well, sharing data via messages rather than having actual shared data
> is a big benefit security-wise.
Yeah, definitely.
To be honest I was thinking of sharing e.g. scripts and images -
semi-static resources.
> Because the boundary is there by default, you instead need to think
> about what to expose to other applications and what is safe.
In principle that's true, but I am suspicious that the net effect is that
people just reflexively copy-paste a pile of stuff without thinking very
hard (similar to the way they just import a whole library because they
want a couple of functions).
> You'll also scale better as you can more easily integrate with services
> running on other systems.
(I need to think about that to be sure I understand it)
cheers
Chaals
--
Charles McCathie Nevile - Consultant (web standards) CTO Office, Yandex
chaals@yandex-team.ru Find more at http://yandex.com
Received on Friday, 21 June 2013 08:03:20 UTC