- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 15 Jan 2014 09:23:00 +0000
- To: Nasko Oskov <nasko@chromium.org>
- Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>, TAG <www-tag@w3.org>, Charlie Reis <creis@chromium.org>
On Tue, Jan 14, 2014 at 6:46 PM, Nasko Oskov <nasko@chromium.org> wrote: > In a pop-up window, the navigation is actually top level. The reason for it > not working though is that windows with synchronous scripting relationships > must stay in the same renderer process, hence they cannot use different > storage partitions. This causes the user to have to login in a pop-up for > each isolated origin, which defeats the purpose of origin isolation. Could we isolate these similar to <iframe>? Perhaps with a new API? > While a[t] this, I should mention that we do not isolate on the basis of > origins, rather on the concept of "site". It includes the scheme and the > registered domain name, so relaxing origin through document.domain is not > broken. It excludes subdomains and port numbers. It seems that if a site opts into this better security model, we could go and disable document.domain... -- http://annevankesteren.nl/
Received on Wednesday, 15 January 2014 09:23:30 UTC