- From: David Ross <drx@google.com>
- Date: Mon, 18 Jul 2016 12:48:18 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Monday, 18 July 2016 19:49:05 UTC
How would you define URL manipulation? I think the goal of something like EPR should be not to block all paths to navigate into an app, but just to give apps an easy way to control the attack surface they expose. Dave On Mon, Jul 18, 2016 at 9:56 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Mon, Jul 18, 2016 at 6:00 PM, David Ross <drx@google.com> wrote: > > I also see potential for lower-level isolation technologies to evolve and > > provide EPR-like functionality. > > An API for Container Tabs (which makes sense to me, mind you) doesn't > really address the problem of URL manipulation. I guess we could > couple it with not allowing request bodies, which relies on the user > having visited the site at least once, but the attack vector we're > concerned with is mostly sites the user has an established > relationship with I suppose. Maybe that's good enough. Not breaking > URLs is rather nice... > > > -- > https://annevankesteren.nl/ >
Received on Monday, 18 July 2016 19:49:05 UTC