- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Mon, 26 Aug 2013 15:39:01 -0700
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Mike West <mkwst@google.com>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Joel Weinberger <jww@chromium.org>
> Content-Security-Policy: sandbox suborigin:'isolateme'
>
> Where the result of this is to set the origin representation to an
> HMAC_SHA256 of the origin with "isolateme" as the key.
>
> This gives the ability to developers to create convenient names for
> arbitrary groupings of site functionality, makes it extraordinarily
I imagine that this is what an implementation might do. I am curious
about how developers would use it. For example, in an API like
postMessage where the developer has to name and use the origin (or in
CORS), the current proposal requires the developer to say
"{origin.com, isolateme}". Do you envision the developer writing this
HMAC value in the target origin field?
thanks
Dev
Received on Monday, 26 August 2013 22:39:48 UTC