- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 20 Jun 2008 00:16:43 +0000 (UTC)
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Web Applications Working Group WG <public-webapps@w3.org>
On Thu, 19 Jun 2008, Jonas Sicking wrote: > > The site is as always responsible for asking the user before allowing > third-party access to private data, and yes, if they fail to do so > properly they will be vulnerable. So I guess I don't really understand what your proposal solves, then. It seems like a lot of complexity for only a very minimal gain in only one very specific scenario (the site doesn't ever return cookie-based data cross-site). We're still relying on the author not making mistakes, despite "the author will make a mistake" being our underlying assumption. If the site has to know to not include the cookie opt-in header, why not just have the site ignore the cookies? (It also introduces the problems that Maciej mentioned, which I think are valid problems.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 20 June 2008 00:28:38 UTC