On 9/29/15, 9:45 AM, "Tony Arcieri" <bascule@gmail.com<mailto:bascule@gmail.com>> wrote: On Tue, Sep 29, 2015 at 11:40 AM, Brad Hill <hillbrad@gmail.com<mailto:hillbrad@gmail.com>> wrote: Within the context of Web Origins, FIDO uses approximately the same scoping rules as cookies. That is to say, key scope must stay within a delegated label or its children and not cross delegation points identified by the public suffix list. "www.example.com<http://www.example.com>" and "register.example.com<http://register.example.com>" can each set a cookie for "example.com<http://example.com>" which the other can see, but subdomains of "hosting.example.com<http://hosting.example.com>" cannot set cookies at or beyond that label if it is designated as a public suffix. This provides some limited usability affordances within the existing information flow boundaries of the web security model while mostly that keys are scoped to a single logical organization as defined by domain registrars. Huh, interesting, I wasn't aware of that. that is what is explained in http://identitymeme.org/http-cookie-processing-algorithm-etlds/ =JeffH
Received on Tuesday, 29 September 2015 21:24:56 UTC