W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Sub-origins

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 26 Aug 2013 15:39:01 -0700
Message-ID: <CAPfop_23KPmM9qJAZnFEhc2xHkScJJ9xiTRc1AxCFkzxrkb+nA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Mike West <mkwst@google.com>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Joel Weinberger <jww@chromium.org>
> Content-Security-Policy: sandbox suborigin:'isolateme'
> Where the result of this is to set the origin representation to an
> HMAC_SHA256 of the origin with "isolateme" as the key.
> This gives the ability to developers to create convenient names for
> arbitrary groupings of site functionality, makes it extraordinarily

I imagine that this is what an implementation might do. I am curious
about how developers would use it. For example, in an API like
postMessage where the developer has to name and use the origin (or in
CORS), the current proposal requires the developer to say
"{origin.com, isolateme}". Do you envision the developer writing this
HMAC value in the target origin field?

Received on Monday, 26 August 2013 22:39:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC