Re: SOP wiki was: A Somewhat Critical View of SOP (Same Origin Policy)

On 9/29/15, 9:45 AM, "Tony Arcieri" <bascule@gmail.com<mailto:bascule@gmail.com>> wrote:

On Tue, Sep 29, 2015 at 11:40 AM, Brad Hill <hillbrad@gmail.com<mailto:hillbrad@gmail.com>> wrote:
Within the context of Web Origins, FIDO uses approximately the same scoping rules as cookies. That is to say, key scope must stay within a delegated label or its children and not cross delegation points identified by the public suffix list.  "www.example.com<http://www.example.com>" and "register.example.com<http://register.example.com>" can each set a cookie for "example.com<http://example.com>" which the other can see, but subdomains of "hosting.example.com<http://hosting.example.com>" cannot set cookies at or beyond that label if it is designated as a public suffix.  This provides some limited usability affordances within the existing information flow boundaries of the web security model while mostly that keys are scoped to a single logical organization as defined by domain registrars.

Huh, interesting, I wasn't aware of that.

that is what is explained in http://identitymeme.org/http-cookie-processing-algorithm-etlds/


=JeffH

Received on Tuesday, 29 September 2015 21:24:56 UTC