W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Sub-origins

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 26 Aug 2013 15:42:06 -0700
Message-ID: <CAEeYn8idLRLXhCoL2Rm5REYeSzfeG=BitvzZOJ3wqNp8ogoLVw@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Mike West <mkwst@google.com>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Joel Weinberger <jww@chromium.org>
I imagine that there might be a helper function defined, or that developers
could do it themselves, or that you could have API sugar that helps out.

-Brad


On Mon, Aug 26, 2013 at 3:39 PM, Devdatta Akhawe <dev.akhawe@gmail.com>wrote:

> > Content-Security-Policy: sandbox suborigin:'isolateme'
> >
> > Where the result of this is to set the origin representation to an
> > HMAC_SHA256 of the origin with "isolateme" as the key.
> >
> > This gives the ability to developers to create convenient names for
> > arbitrary groupings of site functionality, makes it extraordinarily
>
> I imagine that this is what an implementation might do. I am curious
> about how developers would use it. For example, in an API like
> postMessage where the developer has to name and use the origin (or in
> CORS), the current proposal requires the developer to say
> "{origin.com, isolateme}". Do you envision the developer writing this
> HMAC value in the target origin field?
>
> thanks
> Dev
>
Received on Monday, 26 August 2013 22:42:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC