- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 27 May 2014 18:25:26 +0200
- To: Marcos Caceres <w3c@marcosc.com>
- Cc: Ben Francis <bfrancis@mozilla.com>, public-webapps <public-webapps@w3.org>
On Tue, May 27, 2014 at 6:11 PM, Marcos Caceres <w3c@marcosc.com> wrote: > Where this could become a problem in the future is if manifests start granting elevated privileges (e.g., access to specific APIs or unlimited storage). However, the security model could then be refined so that, for instance, only same origin manifests that are served over HTTPS get special powers. In such a case, non-same-origin manifests could be "tainted" and only the basic metadata from the manifest would be used by the user agent. So long term are we expecting deployment on CDNs on sites that do not want these features too? Sticking to same-origin seems simpler. -- http://annevankesteren.nl/
Received on Tuesday, 27 May 2014 16:25:54 UTC