Re: security model of Web Components, etc. - joint work with WebAppSec?

On Fri, Mar 15, 2013 at 4:37 PM, Hill, Brad <> wrote:
> As I mentioned in my introductory message, I am specifically interested in the security model of components loaded cross-origin - do they get complete control of the application / DOM into which they are loaded?  Does an application have any ability to restrict or explicitly pass capabilities to a cross-origin component?

What's currently specified at
means that the page including the components gets full access to do
something with them. It's basically nothing more than exposing the
document response what you can do with XMLHttpRequest.

It does seem problematic if we start building automatic component
creation on top of that as that basically gives you <script> all over


Received on Friday, 15 March 2013 16:54:46 UTC