W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2008

Re: Opting in to cookies - proposal version 3

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 19 Jun 2008 00:38:51 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Cc: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0806190036210.13974@hixie.dreamhostps.com>

On Wed, 18 Jun 2008, Jonas Sicking wrote:
> 
> Most of the feedback I got from my previous proposal was in regards to 
> the nested uri scheme solution, which wasn't really a critical part of 
> the proposal. So here is an alternative proposal which doesn't use the 
> nested schemes but rather a separate flag.

Seems reasonable. The attack vector it is blocking is sites that provide 
user-specific POST-able scripts same-domain, and non-user-specific data 
cross-domain, and that accidentally make the former available under the 
Access-Control mechanism when exposing the latter, right?

This has one side-effect, which is that it doesn't work well with XBL or 
VBWG in environments where the XBL file (or VXML file) is customised to 
the user but accessed cross-site. Is that ok?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 19 June 2008 00:39:30 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:26 GMT