- From: Mark Nottingham <notifications@github.com>
- Date: Mon, 17 Aug 2015 16:22:35 -0700
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Received on Monday, 17 August 2015 23:23:09 UTC
It's a genuinely new capability; today, script on a subdomain didn't have the power to clear the "main" domain's cookies if they were HTTPOnly. In common use today, that may not be a huge problem, given that domains like github.io are separate from github.com (and this *seems* to be a common pattern), and what's at risk is usually having to log into a site again. That said, I'm still hesitant, because the Web is big, and it's absurd to think we know all the ways cookies are used. Also, I'd thought that the point of much of what we're doing is to make it *eventually* possible to have sites like mysite.github.com to be securely partitioned from www.github.com, and this seems like it'd be another reason people would avoid deployments like that. --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/issues/62#issuecomment-131990609
Received on Monday, 17 August 2015 23:23:09 UTC