Re: CORS from Maciej Stachowiak on 2017-10-11 (public-webapps@w3.org from October to December 2017)

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 11 Oct 2017 01:16:07 -0700
To: Florian Bösch <pyalot@gmail.com>
Cc: Jake Archibald <jakearchibald@google.com>, "Jack (Zhan, Hua Ping)" <jackiszhp@gmail.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-id: <838795E9-105E-49E5-8E7B-30E83C1A5889@apple.com>

Sent from my iPad

> On Oct 11, 2017, at 12:54 AM, Florian Bösch <pyalot@gmail.com> wrote:
> 
>> On Wed, Oct 11, 2017 at 9:41 AM, Jake Archibald <jakearchibald@google.com> wrote:
>> Although, it's worth noting that when site A executes a script from site B, it is giving site B full control over the page and storage on its origin.
> 
> On a tangent it's a pity there doesn't exist a way for a page to load in a script from another source but have it executed securely in a sandbox with limited access to some of the pages context. It sure would be nice not to give twitter, google, discus, etc. "root" privileges on your site just because you want some functionality from them.

iframes can work for this. They even give the off-site script a sanboxed area to present content and have a safe way to interact with embedding page script via postMessage.

Received on Wednesday, 11 October 2017 08:16:31 UTC