- From: Mike West <notifications@github.com>
- Date: Tue, 18 Aug 2015 09:11:54 -0700
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Received on Tuesday, 18 August 2015 16:12:26 UTC
> It's a genuinely new capability; today, script on a subdomain didn't have the power to clear the "main" domain's cookies if they were HTTPOnly. For clarity, this applies only to the JavaScript API, right? Not to the HTTP header. > Also, I'd thought that the point of much of what we're doing is to make it eventually possible to have sites like mysite.github.com to be securely partitioned from www.github.com As long as we have cookies that span origins, that's going to be a difficult goal to achieve. How about those origin cookies, eh? (https://tools.ietf.org/html/draft-west-origin-cookies-01) > WRT site vs. origin -- I'm not sure "site" conveys what you want it to; it just seems to add another, imprecise term. We use "site data" in Chrome's data-removing UI: chrome://settings/clearBrowserData. *shrug* I'm open to renamings. --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/issues/62#issuecomment-132262921
Received on Tuesday, 18 August 2015 16:12:26 UTC