The specification currently suggests to guard against subdomains. I was
wondering why subdomains are called out and not different ports or even
completely different domains now that postMessage() is available.
Since this particular section keeps talking about domains I was wondering
if it has actually been updated to reflect the switch from a domain-based
policy to a origin-based policy for storage. It seems that some of the
recommendations need to be reworded.
--
Anne van Kesteren
http://annevankesteren.nl/