On Tue, May 27, 2014 at 6:11 PM, Marcos Caceres <w...@marcosc.com> wrote: > Where this could become a problem in the future is if manifests start > granting elevated privileges (e.g., access to specific APIs or unlimited > storage). However, the security model could then be refined so that, for > instance, only same origin manifests that are served over HTTPS get special > powers. In such a case, non-same-origin manifests could be "tainted" and only > the basic metadata from the manifest would be used by the user agent.
So long term are we expecting deployment on CDNs on sites that do not want these features too? Sticking to same-origin seems simpler. -- http://annevankesteren.nl/
