Re: Secure origins, high value code and data, and CAs providing reputational service

> Since both the code and data is higher value, will SOP-busting be
> allowed, like CORS and XHR?

I think the bottom line is that it's essentially impossible to prevent
two willing origins from communicating with each other through various
hacks and side channels baked into the browser environment; in fact,
before postMessage, it used to be common to use location.hash in
hidden frames or abuse features such as The only
difference was that unlike postMessage and CORS, these hacks were
pretty damn unsafe and provided no well-defined assurances about the
originator and recipient of the relayed messages.

Taking them away is likely to make people regress to less safe
approaches, rather than making them more careful about the parties
they trust.

On top of that, making HTTPS less appealing by removing access to some
well-established features is probably the opposite of where we'd want
to go.


Received on Saturday, 23 August 2014 05:24:35 UTC