On Wed, Dec 13, 2017 at 01:40:35PM -0800, Matthew Hardeman via dev-security-policy wrote: > I'm not sure we need namespace separation for EV versus non-EV subresouces. > > The cause for this is simple: > > It is the main page resource at the root of the document which causes each > sub-resource to be loaded. > > There is a "curatorship", if you will, engaged by the site author. If > there are sub-resources loaded in, whether they are EV or not, it is the > root page author's place to "take responsibility" for the contents of the > DV or EV validated sub-resources that they cause to be loaded.
Oh, if only that were true -- then every site that embedded a third-party ad network that served up malware could be done under the CFAA, and the world would be a much, much better place. But it isn't, and your "curatorship" model of the web, whilst a lovely idea, is completely unsupported by reality. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
