Same thoughts here, I wouldn't want to expose all the actions of my page to a future attacker.
-
-
Secret meaning something like a cookie, where a 3rd party could steal & do own requests... or just priv info, like twitter DMs?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I think it would help if people working on web features generally understood this as the state of play.
-
It seems hard to keep state out that comes from an authenticated source. Like... how do you build account-based apps?
-
Not sure if I'm following correctly here, but are you suggesting that JS should always go to the DOM to fetch secret values rather than mem?
-
I'm suggesting it should come from another source, either HTML, JSON, or whatever, and not be included in the JS source itself.
-
I'd be down with a CSP-style rule where JS must be static (same hash each run for everyone)
-
or we could just disallow credentialed CORS for modules!
-
Oh, that'd be sweet! Any strong resistance to that?
-
I'm not sure, but I think writing up what I said more formally and then proposing something concrete would allow us to find out!
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
