- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 10 Jan 2014 11:13:35 +0000
- To: Mike West <mkwst@google.com>
- Cc: Nasko Oskov <nasko@google.com>, WebAppSec WG <public-webappsec@w3.org>, TAG <www-tag@w3.org>
On Fri, Jan 10, 2014 at 9:20 AM, Mike West <mkwst@google.com> wrote: > I like the concept very much. I'm unclear as to the practical implementation > you're proposing. How do sites opt-in to this sort of treatment? How do you > determine when a site ought to get credentials and when it shouldn't? I would expect opt-in to be similar to HSTS. Once done, the browser will remember that the given origin wants to be partitioned. And only if that origin is navigated to is its associated context (such as cookies and cache) available. It's not entirely clear if in different contexts (when something else is navigated to) isolated origins should be given special treatment. This came out of a discussion we had about hosted apps and similar experiments and how they are different from the web you browse and whether we should make that into something you can opt into. (I hope this addresses Henri's question too.) -- http://annevankesteren.nl/
Received on Friday, 10 January 2014 11:14:07 UTC