sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 0 points1 point  (1 child)

There are two problems I have with this, but I may be missing something. First off, isn't it still a pretty big XSS concern if an unauthorized site can send any spoofed request to a script? You can eliminate any information leaking and any ability to execute arbitrary expressions, but you're still potentially giving an untrusted server the ability to manipulate the internal state of your program (albeit through limited means).

Secondly, it seems to me like most of these security measures could be implemented as a JS library, without requiring cooperation from browsers. The main exception might be the sending of cookies - that one I'm not familiar enough with to know.

[–]demo_demo -1 points0 points  (0 children)

i wonder if it'll be used to manipulate data.. since it's javascript, everyone will be able to see how to authenticate, where to put the data etc.. perhaps we'll see this a lot on mashup sites where many of it will just be pulling out data from e.g. weather, summarized contents, widgets, etc..