Re: SOP wiki was: A Somewhat Critical View of SOP (Same Origin Policy) from Tony Arcieri on 2015-09-29 (public-web-security@w3.org from September 2015)

From: Tony Arcieri <bascule@gmail.com>
Date: Tue, 29 Sep 2015 15:01:10 -0700
To: "Hodges, Jeff" <jeff.hodges@paypal.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAHOTMVJ+NExKvGPJw_fooQbNdHZswk7i0WqEzv3eJ+ea37MycA@mail.gmail.com>

On Tue, Sep 29, 2015 at 2:24 PM, Hodges, Jeff <jeff.hodges@paypal.com>
wrote:

> that is what is explained in
> http://identitymeme.org/http-cookie-processing-algorithm-etlds/
>

In the case of FIDO though, I am guessing these are just rules for scoping
App IDs, and both parties must "agree" (via JS running and contained via
SOP) on the common App ID to use, unlike cookies where the cookie recipient
has no power, only the cookie setter...

-- 
Tony Arcieri

Received on Tuesday, 29 September 2015 22:01:59 UTC