Back in 2011, my coauthors and I described this as the “core security guarantee” of the Web: users can safely visit arbitrary web sites and execute scripts provided by those sites. It’s the browser’s job to mediate that interaction so that it’s safe. In order for the Web to work successfully, people have to feel comfortable visiting arbitrary Web pages, even those controlled by the attacker. The situation is the same for other big content platforms like Facebook and Twitter: just because you see some link there doesn’t mean that the site endorses it. Google’s relationship to those sites is arms-length at best: it doesn’t control them and doesn’t bear any responsibility for their content beyond some vague assertion that this might be something that was responsive to your search. Once you execute the search, Google then gives you a set of links, many of which take you to another site.
Consider, for instance, the experience of searching for something using Google. Instead, even if you start on one site, many of your activities on that site will take you to other sites.
Unlike applications or e-books, the experience of using the Web is not confined to content provided by one vendor. Eric Rescorla ☛ Understanding The Web Security Model, Part III: Basic Principles and the Origin Concept.
Trend Oceans ☛ KeePassXC 2.7.0 is released with major changesĪfter a long time, KeePass XC gets an update that includes entry tagging, added features to leverage Window Hello and macOS Touch ID and many more.