Requirement: Security context of calling page #3
Comments
|
As with issue #2, this issue is either meant for a different project (direct access from content to native applications) or based on a flawed assumption (browser extension actions always being connected to a specific "calling page") |
|
I hope the updated issue #2 clears this. |
|
This is a tentative resolution of the CG. See the minutes of the discussion. If no dissenting opinion is expressed here within 10 days, this will be considered the consensus of the CG. As this is connected to issue #2 which the CG proposes to close as out of scope, this seems also to be out of scope for this Community Group. The appropriate forum is likely to be the WebPlatform Working Group or the WICG. The security implications of the proposal are also not fully clear, but do seem problematic. The tentative consensus is to close the proposal. |
|
See also #6 |
It seems reasonable that invoked applications inherit the security context of the calling Web page including:
Through this applications will be able showing (in a trustworthy way) invocation domain etc.
The text was updated successfully, but these errors were encountered: