- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 15 Mar 2013 16:54:18 +0000
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: public-webapps <public-webapps@w3.org>
On Fri, Mar 15, 2013 at 4:37 PM, Hill, Brad <bhill@paypal-inc.com> wrote: > As I mentioned in my introductory message, I am specifically interested in the security model of components loaded cross-origin - do they get complete control of the application / DOM into which they are loaded? Does an application have any ability to restrict or explicitly pass capabilities to a cross-origin component? What's currently specified at https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/components/index.html means that the page including the components gets full access to do something with them. It's basically nothing more than exposing the document response what you can do with XMLHttpRequest. It does seem problematic if we start building automatic component creation on top of that as that basically gives you <script> all over again. -- http://annevankesteren.nl/
Received on Friday, 15 March 2013 16:54:46 UTC