W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2017

Re: CORS

From: Florian Bösch <pyalot@gmail.com>
Date: Wed, 11 Oct 2017 09:54:55 +0200
Message-ID: <CAOK8ODiqOVZf4VOaVRO3MaqOWLG1nKgC5W8er1GmOn3HbatL1g@mail.gmail.com>
To: Jake Archibald <jakearchibald@google.com>
Cc: "Jack (Zhan, Hua Ping)" <jackiszhp@gmail.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>
On Wed, Oct 11, 2017 at 9:41 AM, Jake Archibald <jakearchibald@google.com>
wrote:
>
> Although, it's worth noting that when site A executes a script from site
> B, it is giving site B full control over the page and storage on its origin.
>

On a tangent it's a pity there doesn't exist a way for a page to load in a
script from another source but have it executed securely in a sandbox with
limited access to some of the pages context. It sure would be nice not to
give twitter, google, discus, etc. "root" privileges on your site just
because you want some functionality from them.
Received on Wednesday, 11 October 2017 07:55:18 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 9 November 2017 09:59:04 UTC