Re: [whatwg/fetch] Proposal: `Sec-Site` should capture information about the requester of a resource (#700) from John Wilander on 2018-04-16 (public-webapps-github@w3.org from April 2018)

From: John Wilander <notifications@github.com>
Date: Mon, 16 Apr 2018 09:31:59 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/700/381666299@github.com>

> I believe there's some real value in more granularity above and beyond that enum for services that wish to expose data to some subset of cross-origin entities, but not all cross-origin entities (for example: mail.google.com might trust accounts.google.com, but not docs.google.com; google.de might trust accounts.google.com, but not evil.com) Neither same-site nor cross-site would be granular enough to create those ACLs).

I thought we agreed that same-site would mean same eTLD+1 for these purposes. Not true? I pointed this out regarding SameSite cookies in https://github.com/whatwg/fetch/issues/687#issuecomment-377615060 but then the thread seemed to go on to say that same-site should be same eTLD+1.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/700#issuecomment-381666299

Received on Monday, 16 April 2018 16:32:24 UTC