On Tue, 2011-08-02 at 19:04 +0000, Ian Hickson wrote: > On Mon, 1 Aug 2011, Philippe De Ryck wrote: > > > > If two browsing contexts X and Y create a messaging channel using ports, > > no origin guarantees about the sender or receiver of the messages can be > > given. This is in contrast with the 'Cross-document Messaging' > > mechanism, where each message has a source and destination origin. > > This is intentional. The security model here is a capabilities model, > where vending a MessagePort inherently grants a right. Exposing an origin > would actually undermine this, preventing capabilities from being > furthered to other origins.
The intention of message channels being used in a capabilities model is not at all clear from the spec. Seeing it in this light, I have two additional comments: 1. It might be useful to mention this in the spec, so that this mechanism is used as intended (instead of just as an easy way to use two-way communication). Additionally, mention the consequences that this can have (i.e. the granted right can be passed along) 2. I understand that in a capabilities model, the target origin cannot be specified. I don't think that this holds for the source origin, so is there a specific reason to not include the source origin in the message (even though the attribute is available)? -- Philippe De Ryck K.U.Leuven, Dept. of Computer Science Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
