- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Wed, 19 Nov 2014 13:58:16 -0000
- To: <public-tracking@w3.org>
- Cc: "David Singer" <singer@apple.com>, "'Roy T. Fielding'" <fielding@gbiv.com>
- Message-ID: <133901d00400$df0e1ea0$9d2a5be0$@baycloud.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The ability to store or at least confirm exceptions to other domains would be a very useful capability for the UGE API, which was why the cookie like domain property was designed. Unfortunately this mechanism falls between 2 stools because it still weakens Same Origin Policy security somewhat while not being particularly useful for the identified use-cases. Issue-262 is a case in point but there are important others. A solution to this could be a technique similar to my suggestion that origins belonging to the same party, or its service providers, can be made to refer to each other. This has been used in other recommendations notably Cross-origin Resource Sharing. Obviously at this late stage we do not want to add further delay to getting DNT out the door, but we could leave it as an option for the future so that this or another working group could specify the mechanism later. Browser vendors quite often implement features in W3C draft documents such as the bits of CSP2 now in Chrome and Firefox. If we left the interpretation of the domain property up to the user agent by changing the text slightly, then some of us could work towards a useable cross-origin mechanism in another WG, or in a successor to this one. If we change the existing text, which is: domain of type DOMString, nullable Cookie-like domain string to which the exception applies. If domain is not specified or is null or empty then the execution of this API and the use of the resulting permission (if granted) use the 'implicit' parameter, when the API is called, the document origin. This forms the first part of the duplet in the logical model, and hence in operation will be compared with the top-level origin. If domain is supplied and not empty then it is treated in the same way as the domain parameter to cookies and allows setting for subdomains. The domain argument can be set to fully-qualified right-hand segment of the document host name, up to one level below TLD. To something like the following: domain of type DOMString, nullable Host expression identifying the origin of the resource to which the exception applies. (host expression is scheme-source / host-source as defined in http://www.w3.org/TR/CSP2/ If domain is not specified or is null or empty then the execution of this API and the use of the resulting permission (if granted) use the 'implicit' parameter, when the API is called, the document origin. This forms the first part of the duplet in the logical model, and hence in operation will be compared with the top-level origin. If domain is supplied and not empty then the user agent, if it is capable of checking using a W3C agreed procedure that the resource origin requested is controlled by the same party that controls the document origin, MAY assign the exception to it i.e. if assigned the requested origin will form the first part of the duplet in the logical model. Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/ Charset: utf-8 iQEcBAEBAgAGBQJUbKH3AAoJEHMxUy4uXm2JMggIAOJ7dCzQIeWCdetX/JnRUWZz iRJI4KwjTMlh8uTZ/FetQCTrv2hwzAy2vEWOjMea+2MMKaf7x8go1to02JmuMaMu appikx9h/fUadGco6zD3O8+qni9wwMVu3eZW/vxyADjzf6qxTi7O4IiLqLOF6hER QqloQKC0F4ZOZgPx1Rj/9QGyxz3sZZyxhwrObCfwD6m9VO646BGQ/3RLxoIh3ARi psCEoUjfBDZ51inoz+XDy5yzRNPid/bVilxyuAGlacI03BxBFSlHtF6Ev1ApO0D7 1aBz5YjR457R2VAC/E2LUtnIAEmUNJBsV8MPiEQMEzyjpaI58DKWQnF1XFf7mQQ= =PeR2 -----END PGP SIGNATURE-----
Attachments
- text/html attachment: PGPexch.htm
- application/octet-stream attachment: PGPexch.htm.sig
Received on Wednesday, 19 November 2014 13:59:59 UTC