W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2017

Re: CORS

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 11 Oct 2017 01:16:07 -0700
Cc: Jake Archibald <jakearchibald@google.com>, "Jack (Zhan, Hua Ping)" <jackiszhp@gmail.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-id: <838795E9-105E-49E5-8E7B-30E83C1A5889@apple.com>
To: Florian Bösch <pyalot@gmail.com>


Sent from my iPad

> On Oct 11, 2017, at 12:54 AM, Florian Bösch <pyalot@gmail.com> wrote:
> 
>> On Wed, Oct 11, 2017 at 9:41 AM, Jake Archibald <jakearchibald@google.com> wrote:
>> Although, it's worth noting that when site A executes a script from site B, it is giving site B full control over the page and storage on its origin.
> 
> On a tangent it's a pity there doesn't exist a way for a page to load in a script from another source but have it executed securely in a sandbox with limited access to some of the pages context. It sure would be nice not to give twitter, google, discus, etc. "root" privileges on your site just because you want some functionality from them.

iframes can work for this. They even give the off-site script a sanboxed area to present content and have a safe way to interact with embedding page script via postMessage.
Received on Wednesday, 11 October 2017 08:16:31 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 9 November 2017 09:59:04 UTC