Re: Sub-origins from Devdatta Akhawe on 2013-09-03 (public-webappsec@w3.org from September 2013)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 3 Sep 2013 16:21:41 -0700
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_0ovU9M791KB-BYHxQ0xM0RMTCyGkVBh5fQcniZ4N5b5Q@mail.gmail.com>

Like Michal, I also dislike the hash/hmac based serialization approach. I
think some of the simpler serialization approaches discussed in this thread
work better, if we agree that a single serialization is necessary (I am
still not sure on that front). It feels more "webby" to have a human
readable serialization of the security principal instead of a HMAC.
Finally, as Dan's email points out, it doesn't look like the simpler
serialization should cause lots of issues.

Create a document.location.suborigin ? Then if it's undefined sites can
>

+1

~Dev

Received on Tuesday, 3 September 2013 23:22:28 UTC