Re: [spec-reviews] Clear Site Data (#62)

Should this be Clear-Origin-Data? 

WRT Cookies - hm. Giving JS on subdomain.example.com the power to clear a HTTPOnly cookie for *.example.com is... interesting.

If that's a concern, the fix would be to say that say that these cookies (I.e., those with both HTTPOnly and Domain) can only be cleared via JS from an exactly matching origin; e.g., if I want to clear a cookie via JS that has "HTTPOnly; Domain=example.com", I need to clear the site data from example.com (or do it using the response header).

It'd be kind of unfortunate to have that special case in the spec, but it might be necessary.

---
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/spec-reviews/issues/62#issuecomment-131698227

Received on Monday, 17 August 2015 06:49:16 UTC