Re: Cookies in Suborigins from Joel Weinberger on 2016-05-19 (public-webappsec@w3.org from May 2016)

From: Joel Weinberger <jww@chromium.org>
Date: Thu, 19 May 2016 18:48:45 +0000
To: Devdatta Akhawe <dev.akhawe@gmail.com>, Artur Janc <aaj@google.com>
Cc: public-webappsec@w3.org, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CAHQV2Knr03j=y0bcx-uyJoNpo22SXHw5z==ViM_Pwj4Os9DGOA@mail.gmail.com>

Thanks, Anne. This pretty much describes exactly what we were hoping to do
with Suborigins. I'll write this up into the spec in a bit. Looks like it
should be as simple as adding Suborigins to the list of cookie-averse
Document object types:
https://html.spec.whatwg.org/multipage/dom.html#cookie-averse-document-object
--Joel

On Thu, May 19, 2016 at 8:19 AM Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> Yup that seems like what we want. Thanks!
> On May 19, 2016 8:04 AM, "Artur Janc" <aaj@google.com> wrote:
>
>> On Thu, May 19, 2016 at 4:52 PM, Anne van Kesteren <annevk@annevk.nl>
>> wrote:
>>
>>> On Thu, May 19, 2016 at 4:48 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
>>> wrote:
>>> > I don't think I have heard of "cookie averse document object". Can you
>>> > clarify a bit more?
>>>
>>> Well, it's part of how document.cookie is defined. If you're planning
>>> on changing the document.cookie API, I recommend reading up on that:
>>> https://html.spec.whatwg.org/multipage/dom.html#dom-document-cookie.
>>
>>
>> FWIW this seems reasonable to me for the suborigin case as it matches the
>> goals of the "safe cookie mode" quite well.
>>
>

Received on Thursday, 19 May 2016 18:49:23 UTC