Re: Adding cookie scope to CSP from Alex Russell on 2013-09-10 (public-webappsec@w3.org from September 2013)

From: Alex Russell <slightlyoff@google.com>
Date: Tue, 10 Sep 2013 08:18:22 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "Nottingham, Mark" <mnotting@akamai.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CANr5HFV+JxKcBrG04vKmcPgj_Jrhn-g1fHXRi-RserTOWQ0e4Q@mail.gmail.com>

Obviously it would be on-top of origin scoping. The idea here would be that
a document could declare that all writes into the cookie jar must be
prefixed with some path.

On Tue, Sep 10, 2013 at 7:58 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Sep 10, 2013 at 3:34 PM, Alex Russell <slightlyoff@google.com>
> wrote:
> > Cookies have sub-origin scoping.via the Path attribute. It might be
> useful
> > to be able to further restrict the ability of script in a page to
> access/set
> > cookies that are "below" some path.
>
> I'm not sure what this means. The path attribute offers no actual
> protection and definitely does not provide origin-scoping. It's at
> best a convenience feature.
>
>
> --
> http://annevankesteren.nl/
>

Received on Tuesday, 10 September 2013 15:19:26 UTC