Re: Opting in to cookies - proposal version 3

Ian Hickson wrote:
> On Wed, 18 Jun 2008, Jonas Sicking wrote:
>> Most of the feedback I got from my previous proposal was in regards to 
>> the nested uri scheme solution, which wasn't really a critical part of 
>> the proposal. So here is an alternative proposal which doesn't use the 
>> nested schemes but rather a separate flag.
> 
> Seems reasonable. The attack vector it is blocking is sites that provide 
> user-specific POST-able scripts same-domain, and non-user-specific data 
> cross-domain, and that accidentally make the former available under the 
> Access-Control mechanism when exposing the latter, right?

Exactly. And it's useful for pages that contain private information only 
when cookies are sent, but when no cookies are sent they only provide 
public information. I've given two examples of this in other threads:

1. A news site serving articles in different categories. When the user
    is logged in and has configured a home zipcode includes a category
    of local news.

    Example: news.yahoo.com

2. A discussion board that allows comments to be marked private. Only
    when a user is logged in and has access to private comments are the
    private comments included, otherwise only the public comments are
    shown.

    Example: buzilla.mozilla.com

> This has one side-effect, which is that it doesn't work well with XBL or 
> VBWG in environments where the XBL file (or VXML file) is customised to 
> the user but accessed cross-site. Is that ok?

It doesn't "work well" in the sense that they don't work out-of-the-box. 
It would be trivial to add a load-private-data pseudo attribute to the 
<?xbl?> PI that sets the "with credentials" flag to true.

However I can't think of a situation where someone wants to load private 
XBL bindings so I'm totally ok with it being a bit more hassle. It might 
be a bigger deal for VXML, I don't know since I've not looked at that spec.

/ Jonas

Received on Thursday, 19 June 2008 08:37:09 UTC