Re: Origin cookies from Zhong Yu on 2014-10-27 (ietf-http-wg@w3.org from October to December 2014)

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Mon, 27 Oct 2014 13:40:02 -0500
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: Mike West <mkwst@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CACuKZqE2g-SrLt5h82s3MHpg-1phUT9K07uEbhTFO5QA4ezjBA@mail.gmail.com>

On Sun, Oct 26, 2014 at 8:06 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> So no, you can’t assume that subdomains are written by the same people.

Sorry, I meant they are controlled by the same people, therefore
presumably there's no malicious code running on one subdomain
attacking another subdomain or the parent domain.

Cookie chose non-public-suffix domain as the isolation unit, which is
looser (with no regard to subdomain, port, scheme) that same-origin
policy. But the "same-domain" policy is not without reason or merit
either.

Zhong Yu
bayou.io

Received on Monday, 27 October 2014 18:40:30 UTC