|
|
|
|
|
|
by ddworken
1922 days ago
|
|
|
This only allows reading data from the current process. Chrome and Edge have something called site-isolation where every site has its own process. In principle, this means that a site can only read its own resources. The catch here is that there are a bunch of different ways a site can include potentially sensitive resources from other sites (e.g. via referencing them with an `img` tag). So sensitive endpoints need to opt-in to additional protections that ensure they do not end up in cross-site browser processes. But no, this isn't game over for running untrusted JS. It just means that we need to assume that JS can access anything in the same process. |
|
|