Re: A Somewhat Critical View of SOP (Same Origin Policy) from Martin Thomson on 2015-09-16 (public-web-security@w3.org from September 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 16 Sep 2015 10:54:34 -0700
To: Henry Story <henry.story@co-operating.systems>
Cc: Brad Hill <hillbrad@gmail.com>, Tony Arcieri <bascule@gmail.com>, Rigo Wenning <rigo@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "Mike O'Neill" <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CABkgnnWd-GQzTv4p-uBDVwprkJqovRUSH2iOR2URRVRbaWrVMg@mail.gmail.com>

On 16 September 2015 at 08:59, Henry Story
<henry.story@co-operating.systems> wrote:
> Cookies respect SOP by design

This is not correct.  Cookies are part of the legacy cruft of the HTTP
protocol.  Just as application/x-form-data is
(https://fetch.spec.whatwg.org/#dom-request step 8)

Received on Wednesday, 16 September 2015 17:55:01 UTC