On Fri, Jan 30, 2015 at 10:40 PM, Brian Smith <br...@briansmith.org> wrote:
> Anyway, my point isn't to suggest that Mozilla should ask for this > item to be removed from the charter. Rather, my point is that this > item has some pretty big, non-obvious ramifications (not just related > to tracking) that Mozilla should understand. I think what you said > about it being described in an unclear way is a good response. Joel > Weinberger from the Chrome Security Team already explained a lot of it > to me privately. I recommend talking to him about it, if you want to > understand it better. > Perhaps I don't understand very well either, but from your emails at least, <script src="some://other/origin.js"/> isn't materially different from a same-origin perspective as <script src="the://same/origin.js"/> given that scripts adopt the including origin. So there isn't any advantage to the site for this specific case. Iframes are different of course, but I don't see how this materially changes the game. After all, those tools would be able to use sub-origin information to aid in identification in the same way that the site might use them against them. This all comes down to the information that the blocking tools have available for use in identifying unwanted material. Those tools are already far more sophisticated and granular than origin. If you think that artificially impeding the escalation of this "arms race" is worthwhile, I guess that's a fine position to hold, but I just can't see this particular non-obvious ramification to be especially dangerous from this perspective. The only thing that concerns me here is that it creates a division that only advantages a small few. Sites big enough to have a need for multiple distinct isolation zones. And what *won't* be partitioned. Will we also ensure that permissions (geolocation, user media, etc...) are similarly partitioned? Or will a large provider be able to share information that is of advantage to it, while benefiting from isolation on what it wants isolated. I don't have a fundamental objection to that level of control, but it seems like a lot of work. And I wonder who benefits. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
