W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

Re: Call for Consensus: Stop work and transition 3 Working Drafts to Working Group Notes

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 18 Jul 2016 18:56:45 +0200
Message-ID: <CADnb78gsHjXtPgKt91X9ySmORzUaPhRZWc3pKwTSriPfE0ktig@mail.gmail.com>
To: David Ross <drx@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jul 18, 2016 at 6:00 PM, David Ross <drx@google.com> wrote:
> I also see potential for lower-level isolation technologies to evolve and
> provide EPR-like functionality.

An API for Container Tabs (which makes sense to me, mind you) doesn't
really address the problem of URL manipulation. I guess we could
couple it with not allowing request bodies, which relies on the user
having visited the site at least once, but the attack vector we're
concerned with is mostly sites the user has an established
relationship with I suppose. Maybe that's good enough. Not breaking
URLs is rather nice...


-- 
https://annevankesteren.nl/
Received on Monday, 18 July 2016 16:57:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC