Re: Sub-origins from Brad Hill on 2013-08-26 (public-webappsec@w3.org from August 2013)

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 26 Aug 2013 15:42:06 -0700
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Mike West <mkwst@google.com>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Joel Weinberger <jww@chromium.org>
Message-ID: <CAEeYn8idLRLXhCoL2Rm5REYeSzfeG=BitvzZOJ3wqNp8ogoLVw@mail.gmail.com>

I imagine that there might be a helper function defined, or that developers
could do it themselves, or that you could have API sugar that helps out.

-Brad


On Mon, Aug 26, 2013 at 3:39 PM, Devdatta Akhawe <dev.akhawe@gmail.com>wrote:

> > Content-Security-Policy: sandbox suborigin:'isolateme'
> >
> > Where the result of this is to set the origin representation to an
> > HMAC_SHA256 of the origin with "isolateme" as the key.
> >
> > This gives the ability to developers to create convenient names for
> > arbitrary groupings of site functionality, makes it extraordinarily
>
> I imagine that this is what an implementation might do. I am curious
> about how developers would use it. For example, in an API like
> postMessage where the developer has to name and use the origin (or in
> CORS), the current proposal requires the developer to say
> "{origin.com, isolateme}". Do you envision the developer writing this
> HMAC value in the target origin field?
>
> thanks
> Dev
>

Received on Monday, 26 August 2013 22:42:34 UTC