Realm, schmealm!

Boris Zbarsky bzbarsky at MIT.EDU
Thu Aug 1 13:45:55 PDT 2013


On 8/1/13 4:27 PM, Brendan Eich wrote:
> Ok, but Hixie was contrasting with a process-isolated implementation.

Hixie is suggesting process-isolating iframes that are not same-origin 
to start with and can't be made same-origin via document.domain

He is not suggesting process-isolating iframes which might ever become 
same-origin.

So his proposed implementation gives good defence in depth for things 
that are completely different origins and always will be, but does 
nothing for protecting mail.google.com from calendar.google.com, say, 
compared to the current situation..

> I agree the spec is too much about "intersection semantics" or "the
> least that can be required based on browsers" (in 2008? Has nothing
> evolved?). We should talk about what to spec that's agreeable to the
> majors and better for security.

Bobby and I have tried a few times now to get any other implementor to 
be willing to do anything other than what's in the spec right now, with 
... let's call it limited success.

-Boris



More information about the es-discuss mailing list