- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Fri, 22 Aug 2014 22:23:47 -0700
- To: noloader@gmail.com
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Since both the code and data is higher value, will SOP-busting be > allowed, like CORS and XHR? I think the bottom line is that it's essentially impossible to prevent two willing origins from communicating with each other through various hacks and side channels baked into the browser environment; in fact, before postMessage, it used to be common to use location.hash in hidden frames or abuse features such as window.name. The only difference was that unlike postMessage and CORS, these hacks were pretty damn unsafe and provided no well-defined assurances about the originator and recipient of the relayed messages. Taking them away is likely to make people regress to less safe approaches, rather than making them more careful about the parties they trust. On top of that, making HTTPS less appealing by removing access to some well-established features is probably the opposite of where we'd want to go. /mz
Received on Saturday, 23 August 2014 05:24:35 UTC