- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Fri, 28 Aug 2015 13:52:08 -0700
- To: Mike West <mkwst@google.com>
- Cc: Erik Nygren <erik+w3@nygren.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
+1 to this. I would find this very useful and likely adopt it as soon as it is available. On 27 August 2015 at 22:02, Mike West <mkwst@google.com> wrote: > On Thu, Aug 27, 2015 at 7:22 PM, Erik Nygren <erik+w3@nygren.org> wrote: >> >> From previous discussion, other cookie scopes might also have value: >> >> >> https://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0046.html > > > Ah, September 2013. One of the several times at which I thought that CSP2 > was done and ready to ship. How absurd and naïve in hindsight. I didn't do a > good job driving things to completion, as is likely quite obvious from the > 2-year gap between then and now. > > I still like mnot's proposal, and I think it does indeed address the > concerns of folks like sandstorm.io. I intend to add something like it to > CSP3. I'm not sure that the extensions proposed (path, etc) are useful, and > tend towards thinking that we should avoid improving support for the cookie > properties that don't mesh well with web origins. > > Relatedly, we'll likely also want something to control `document.domain`. > It's possible, in fact, that these two things are really the same. That is, > anyone who would want to lock `document.cookie` to the current host would > likely also want to lock `document.domain`. We could certainly add separate > syntax for this if desired, but combining them seems like it might be > reasonable. > > -mike > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, > Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: > Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 28 August 2015 20:52:56 UTC