- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 16 Mar 2015 15:51:53 -0700
- To: Tim Berners-Lee <timbl@w3.org>
- Cc: Anne van Kesteren <annevk@annevk.nl>, Public TAG List <www-tag@w3.org>, Mark Nottingham <mnot@mnot.net>
On 16 March 2015 at 12:39, Tim Berners-Lee <timbl@w3.org> wrote: > It seems simpler and more powerful to just extend the current origin policy but introduce the '/' as well as the DNS '.' in the hierarchy of origins. Certainly simpler, but how do you plan to deal with legacy content. I guess that the only way you can is to have parent origins disable privileges for children in a declarative fashion. i.e., https://example.com/ can say that https://example.com/foo/ can't have its toys. The inverse causes existing things to break. For a lot of cases, that means you'd need a combination of a blanket down-privilege statement, plus some selective up-privilege clauses. github.com/admin/ has all the rights, but github.com/user/project doesn't. BTW, I don't find the github example especially compelling, because I don't believe that github wants to cede control over project pages entirely, just the public spaces that they (currently) provide on github.io.
Received on Monday, 16 March 2015 22:52:20 UTC