W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: [Shadow] URL-based shadows?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 19 Mar 2015 09:24:19 +0100
Message-ID: <CADnb78gW4=iju1wG96yZsB3p9_u_ShLdRjjQb28Jd+i=0WBb+w@mail.gmail.com>
To: Travis Leithead <travis.leithead@microsoft.com>
Cc: Ryosuke Niwa <rniwa@apple.com>, "Dimitri Glazkov (dglazkov@google.com)" <dglazkov@google.com>, WebApps WG <public-webapps@w3.org>, Arron Eicholz <arronei@microsoft.com>
On Thu, Mar 19, 2015 at 12:08 AM, Travis Leithead
<travis.leithead@microsoft.com> wrote:
> 5. I like this. Though it's really only necessary for the cross-origin use case.

I think it's worth mentioning that the existing setup further
encourages the rather dangerous practice of including and trusting
cross-origin scripts. E.g. if you include an HTML import from
angularjs.org you are effectively surrendering all the user's
localStorage, non-protected cookies, indexed DB, etc. to that origin.
Finding ways to move away from such practices while retaining most of
the functionality has significant value.

Received on Thursday, 19 March 2015 08:24:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:44 UTC