On Tue, Oct 10, 2017 at 5:33 PM, Travis Leithead <
travis.leithead@microsoft.com> wrote:
> While the Adobe solution you mention below seems OK at first, note that
> the requestor for permissions is self-granting the permission. In other
> words, it would be just as easy for: https://evil.com/ to add <meta
> name="sameOrigin" content="https://popularbank.com" /> and grant
> permission to itself to access your bank. A self-granting permission model
> just isn't secure--the permission grant must come from the resource being
> requested.
Was about to point that out. Never heard about Adobes approach, but you'd
think that overtime Adobe would get security right. Apparently not.