- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 19 Jul 2016 09:49:27 +0200
- To: David Ross <drx@google.com>
- Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jul 18, 2016 at 9:48 PM, David Ross <drx@google.com> wrote: > How would you define URL manipulation? Creating your own path/query/fragment. > I think the goal of something like EPR should be not to block all paths to > navigate into an app, but just to give apps an easy way to control the > attack surface they expose. Yeah, maybe if the browser acted as a shield for certain URLs that could be enough. But yeah, deep linking is a concern. Providing cookie isolation and request method/body isolation might be sufficient... -- https://annevankesteren.nl/
Received on Tuesday, 19 July 2016 07:49:59 UTC