- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Thu, 10 May 2012 16:24:21 -0700
- To: W3C Web Security Interest Group <public-web-security@w3.org>
In reply to Adam's and Maciej's noting that there's issues with -domain-origin-assert with respect to "the web origin concept" (RFC6454).. The use of the term "origin" for this notion -- i.e., asserting administrative realm domain name boundaries -- is obviously unfortunately confusing and a different term/name probably should be used. That said, the intention of this (so-called at the moment) "BOUND" declaration would be as a data source for "effective TLD (eTLD)" aka "public suffix" information, which is presently used in a number of places where domain names are manipulated/compared in (notably) browsers (e.g. search firefox and/or chromium source for "effective_tld" or "eTLD"). A couple of particular examples of such use are in evaluating whether to allow a cookie to be set for a particular Domain attribute (RFC6265), and in examining asserted server certificate subject domain names (e.g., not accepting a cert for "*.com"). The only way it seems that such a mechanism (e.g. "BOUND" and/or eTLD data) would be involved in Web Origins would be in evaluation/comparison of a web origin's host (aka domain name) component -- and this appears to already be the case anyway. HTH, =JeffH
Received on Thursday, 10 May 2012 23:24:50 UTC