On 8/1/13 4:27 PM, Brendan Eich wrote:
Ok, but Hixie was contrasting with a process-isolated implementation.
Hixie is suggesting process-isolating iframes that are not same-origin to start with and can't be made same-origin via document.domain
He is not suggesting process-isolating iframes which might ever become same-origin.
So his proposed implementation gives good defence in depth for things that are completely different origins and always will be, but does nothing for protecting mail.google.com from calendar.google.com, say, compared to the current situation..
I agree the spec is too much about "intersection semantics" or "the least that can be required based on browsers" (in 2008? Has nothing evolved?). We should talk about what to spec that's agreeable to the majors and better for security.
Bobby and I have tried a few times now to get any other implementor to be willing to do anything other than what's in the spec right now, with ... let's call it limited success.
-Boris _______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
