Re: CORS from Florian Bösch on 2017-10-11 (public-webapps@w3.org from October to December 2017)

From: Florian Bösch <pyalot@gmail.com>
Date: Wed, 11 Oct 2017 09:54:55 +0200
To: Jake Archibald <jakearchibald@google.com>
Cc: "Jack (Zhan, Hua Ping)" <jackiszhp@gmail.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <CAOK8ODiqOVZf4VOaVRO3MaqOWLG1nKgC5W8er1GmOn3HbatL1g@mail.gmail.com>

On Wed, Oct 11, 2017 at 9:41 AM, Jake Archibald <jakearchibald@google.com>
wrote:
>
> Although, it's worth noting that when site A executes a script from site
> B, it is giving site B full control over the page and storage on its origin.
>

On a tangent it's a pity there doesn't exist a way for a page to load in a
script from another source but have it executed securely in a sandbox with
limited access to some of the pages context. It sure would be nice not to
give twitter, google, discus, etc. "root" privileges on your site just
because you want some functionality from them.

Received on Wednesday, 11 October 2017 07:55:18 UTC