- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 23 Oct 2013 13:35:45 +0100
- To: WebAppSec WG <public-webappsec@w3.org>
- Cc: Ian Hickson <ian@hixie.ch>
A while ago Mark suggested cookie restrictions driven by a CSP policy. This is not that. This is more akin to the referrer control proposal. Developers want a way to control cookies https://www.w3.org/Bugs/Public/show_bug.cgi?id=11235 on outgoing requests. It strikes me we could potentially do that via CSP rather than having opt-in flags at each Fetch entry point. Of course, as with referrer control this makes CSP more about a Fetch policy than a security policy, but naming has never been our strong suit. Any solution here would have to address whether cookies are transmitted while fetching, and whether cookies transmitted with the response are accepted. The different effects of this are spelled out here: http://fetch.spec.whatwg.org/#basic-fetch (under http/https). Anyone been thinking about this? -- http://annevankesteren.nl/
Received on Wednesday, 23 October 2013 12:36:13 UTC