On Tue, Oct 10, 2017 at 5:33 PM, Travis Leithead < travis.leithead@microsoft.com> wrote: > While the Adobe solution you mention below seems OK at first, note that > the requestor for permissions is self-granting the permission. In other > words, it would be just as easy for: https://evil.com/ to add <meta > name="sameOrigin" content="https://popularbank.com" /> and grant > permission to itself to access your bank. A self-granting permission model > just isn't secure--the permission grant must come from the resource being > requested. Was about to point that out. Never heard about Adobes approach, but you'd think that overtime Adobe would get security right. Apparently not.Received on Tuesday, 10 October 2017 16:19:22 UTC
This archive was generated by hypermail 2.3.1 : Thursday, 9 November 2017 09:59:04 UTC