-
-
Notifications
You must be signed in to change notification settings - Fork 151
Design Principals
Simon Bennetts edited this page Jul 6, 2018
·
2 revisions
- Minimise data cached in the browser
- Only maintain data that is required to improve the UI experience
- Where possible always dynamically query the ZAP API from the UI
- ZAP events should only be received by the serviceworker
- The ZAP API can be called directly from any frame on the ZAP domain
- The ZAP API can never be called directly from any frame on the target domain
- Data should only be accepted from the target domain when it can be protected by a shared secret that cannot be accessed from the target server
- Data from the target domain should not be fully trusted - it should be treated as potentially tainted