Re: Origin cookies

> On Oct 27, 2014, at 8:40 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
> 
> On Sun, Oct 26, 2014 at 8:06 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
>> So no, you can’t assume that subdomains are written by the same people.
> 
> Sorry, I meant they are controlled by the same people, therefore
> presumably there's no malicious code running on one subdomain
> attacking another subdomain or the parent domain.

That’s presumed, but when IT departments install mail servers (with a web interface), firewalls, CRM and ERP software, they have limited control on what these servers do with cookies. Sure, hopefully they install software from reputable vendors who do not include malicious code, but the level of control is not what we would like.

Yoav

Received on Tuesday, 28 October 2014 09:46:32 UTC