Re: Defining First and Third Party Cookies

On Fri, Jul 22, 2016 at 11:36 AM, Julian Reschke <> wrote:
> It seems to me that RFC 6454 has much more text explaining origins and the
> same-origin policy. Is that somewhere in the HTML spec as well?

I'm not sure. I guess it's fine to use the RFC for some non-normative guidance.

> Other than that I notice that the definition of an origin changed to include
> one additional component ("domain"), which is optional and seems to be
> specific to browser APIs.


> I can see why this stuff is needed internally in the browser spec, but I'm
> skeptic about this needing to "obsolete" RFC 6454.

Well, it's that concept of origin that's passed around. Other than
browsers there's not much use for origins.

> Which attempts to make an incompatible change to the syntax of the header
> field.
> <>
> seems to indicate that this change would make Chrome and Edge non-compliant.

Only for that particular header, if that particular header continues
to use that syntax. If they do however, they'd be wise to introduce
their own production and not pretend it's the same as what's used for
Origin, since that'd be false.


Received on Friday, 22 July 2016 09:44:33 UTC