bzbarsky at MIT.EDU
Thu Aug 1 13:45:55 PDT 2013
On 8/1/13 4:27 PM, Brendan Eich wrote:
> Ok, but Hixie was contrasting with a process-isolated implementation.
Hixie is suggesting process-isolating iframes that are not same-origin
to start with and can't be made same-origin via document.domain
He is not suggesting process-isolating iframes which might ever become
So his proposed implementation gives good defence in depth for things
that are completely different origins and always will be, but does
nothing for protecting mail.google.com from calendar.google.com, say,
compared to the current situation..
> I agree the spec is too much about "intersection semantics" or "the
> least that can be required based on browsers" (in 2008? Has nothing
> evolved?). We should talk about what to spec that's agreeable to the
> majors and better for security.
Bobby and I have tried a few times now to get any other implementor to
be willing to do anything other than what's in the spec right now, with
... let's call it limited success.
More information about the es-discuss