W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: [Shadow] URL-based shadows?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 19 Mar 2015 09:24:19 +0100
Message-ID: <CADnb78gW4=iju1wG96yZsB3p9_u_ShLdRjjQb28Jd+i=0WBb+w@mail.gmail.com>
To: Travis Leithead <travis.leithead@microsoft.com>
Cc: Ryosuke Niwa <rniwa@apple.com>, "Dimitri Glazkov (dglazkov@google.com)" <dglazkov@google.com>, WebApps WG <public-webapps@w3.org>, Arron Eicholz <arronei@microsoft.com>
On Thu, Mar 19, 2015 at 12:08 AM, Travis Leithead
<travis.leithead@microsoft.com> wrote:
> 5. I like this. Though it's really only necessary for the cross-origin use case.

I think it's worth mentioning that the existing setup further
encourages the rather dangerous practice of including and trusting
cross-origin scripts. E.g. if you include an HTML import from
angularjs.org you are effectively surrendering all the user's
localStorage, non-protected cookies, indexed DB, etc. to that origin.
Finding ways to move away from such practices while retaining most of
the functionality has significant value.


-- 
https://annevankesteren.nl/
Received on Thursday, 19 March 2015 08:24:48 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:26 UTC