no? Why would it be? Only Google-approved code is running on them.
@domenic isn't it a problem for the same origin model that AMP URLs are http://google.com on mobile?
-
-
-
so it's relying on a capability based security model to be sure that other code can't sneak in?

-
not... Even a little?
-
we can talk about it next week. Something seems off to me but Twitter's not the best venue

-
Where's the venue? :)
#Caja days gave a bit of experience with um pain, joy & sec cornercases turning all origins into one. -
I've been hearing from Chrome folks that the prefer SOP to the Caja model. This is what I want to understand.
-
I can understand some of that - there's a lot of legacy code that relies on SOP plus browser controlled defense in depth.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.