Re: Opting in to cookies - proposal version 3

On Wed, 18 Jun 2008, Jonas Sicking wrote:
> 
> Most of the feedback I got from my previous proposal was in regards to 
> the nested uri scheme solution, which wasn't really a critical part of 
> the proposal. So here is an alternative proposal which doesn't use the 
> nested schemes but rather a separate flag.

Seems reasonable. The attack vector it is blocking is sites that provide 
user-specific POST-able scripts same-domain, and non-user-specific data 
cross-domain, and that accidentally make the former available under the 
Access-Control mechanism when exposing the latter, right?

This has one side-effect, which is that it doesn't work well with XBL or 
VBWG in environments where the XBL file (or VXML file) is customised to 
the user but accessed cross-site. Is that ok?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 19 June 2008 00:39:30 UTC