I've just been reading through the WARP spec again, and in particular this stood out:
In the default policy, a user agent must deny access to network resources external to the widget by default, whether this access is requested through APIs (e.g. XMLHttpRequest) or through markup (e.g. iframe, script, img). I'm not sure if this statement is actually helpful here. While it makes sense that WARP defines policies that widen access beyond whatever the UA's default policy may be, is it strictly necessary to define the default policy? For example, this implies that a UA should actively block widgets using JSONp, CORS, Google's Ajax libraries, CDNs, or even a widget just grabbing its company's icon off their website in an img tag. Now there may be UAs who have a default policy that is this strict, but requiring this to be the default policy as a conformance requirement for any WARP implementation seems OTT. S
