also, I want DOM to work too, so it's easy to port to old scripts.
-
-
Replying to @sirdarckcat
: The more things you want, the fewer things you protect. I think we need to have a conversation about the threat model. :)
1 reply 0 retweets 0 likes -
Replying to @mikewest
I think we want an easy-to-backport solution, that provides tangible security boundaries to a limited set of operations.
2 replies 0 retweets 1 like -
Replying to @sirdarckcat @mikewest
paging Dr
@frgx https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/akhawe …1 reply 0 retweets 0 likes -
Devdatta Akhawe Retweeted Eduardo Vela
Per page sub origins aim to provide https://twitter.com/sirdarckcat/status/821353906148032514 … and I know
@sirdarckcat is a fan ;)Devdatta Akhawe added,
2 replies 0 retweets 0 likes -
Very similar to PPSO, only difference is we need to "fallback" specific scripts to their original origin
.1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @frgx and
Maybe subOrigins + SWs + foreignFetch?
1 reply 0 retweets 0 likes -
anything with iframe implies Dom isolation imo. I envision Iframes running code in suborigins too
2 replies 0 retweets 1 like -
Spent some time thinking about this on my flight back to .ch. I'm convinced it works except for eval/mustache XSS.
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @frgx and
Given that those are "popular" now, I think it doesn't make much sense to implement as a browser feature right now
3 replies 0 retweets 0 likes
Whatever it is, we should make this part of CSP and watch the world implode as a massive black hole.
-
-
Replying to @arturjanc @frgx and
I've considered making this part of CSP :-). If any, because it would be funny.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.