Re: SOP wiki was: A Somewhat Critical View of SOP (Same Origin Policy) from Tony Arcieri on 2015-09-29 (public-web-security@w3.org from September 2015)

From: Tony Arcieri <bascule@gmail.com>
Date: Tue, 29 Sep 2015 11:45:28 -0500
To: Brad Hill <hillbrad@gmail.com>
Cc: Henry Story <henry.story@co-operating.systems>, Jeff Hodges <jeff.hodges@paypal.com>, Dave Longley Longley <dlongley@digitalbazaar.com>, Dave Raggett <dsr@w3.org>, Carvalho Melvin <melvincarvalho@gmail.com>, Martin Paljak <martin.paljak@ria.ee>, "public-web-security@w3.org" <public-web-security@w3.org>, WebAppSec WG <public-webappsec@w3.org>, GALINDO Virginie <Virginie.Galindo@gemalto.com>
Message-ID: <CAHOTMV+O+D_veS7-KU1i-S4GDBJAqgx=AGv9iP++KayucxWoLg@mail.gmail.com>

On Tue, Sep 29, 2015 at 11:40 AM, Brad Hill <hillbrad@gmail.com> wrote:

> Within the context of Web Origins, FIDO uses approximately the same
> scoping rules as cookies. That is to say, key scope must stay within a
> delegated label or its children and not cross delegation points identified
> by the public suffix list.  "www.example.com" and "register.example.com"
> can each set a cookie for "example.com" which the other can see, but
> subdomains of "hosting.example.com" cannot set cookies at or beyond that
> label if it is designated as a public suffix.  This provides some limited
> usability affordances within the existing information flow boundaries of
> the web security model while mostly that keys are scoped to a single
> logical organization as defined by domain registrars.
>

Huh, interesting, I wasn't aware of that.

-- 
Tony Arcieri

Received on Tuesday, 29 September 2015 16:46:17 UTC