- From: Sigbjørn Vik <sigbjorn@opera.com>
- Date: Fri, 22 Oct 2010 09:29:33 +0200
- To: public-web-perf@w3.org
On Thu, 21 Oct 2010 19:00:56 +0200, Zhiheng Wang <zhihengw@google.com> wrote: > On Thu, Oct 21, 2010 at 7:46 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote: > >> I see the following note: >> "Note: The relaxed same orgin policy doesn't provide sufficient >> protection >> against unauthorized visits accross documents. In shared hosting, an >> untrusted third party is able to host an HTTP server at the same IP >> address >> but on a different port." >> I must have missed this discussion, this is similar to the mail just >> sent >> about cookie domains (here called relaxed same origin). I am not quite >> sure >> I understand what "unauthorized visits accross documents" means? >> > > ah, right, I missed this in the discussion yesterday. cookie domain > doesn't work in cases like shared hosting, e.g., I have my web site on > my.hosting.com and > yours on yours.hotsting.com. We probably don't want to share information > between them. Right, this is a potential problem. However, these domains already share cookies, and such domains are rarely used for sensitive data[1]. Timing information is not direct information either, only indirect, which at most indicates if a user is logged in or not. My thought is that using a cookie domain will be of great benefit to developers, and that it has little real-life negative impact on websites. Do you foresee any practical problems doing this? [1] Maybe with the exception of people putting their personal documents online to be available for themselves, but such use cases are unlikely to be tricked by spoofing. -- Sigbjørn Vik Quality Assurance Opera Software
Received on Friday, 22 October 2010 07:30:02 UTC