W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: Sub-origins

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 3 Sep 2013 16:21:41 -0700
Message-ID: <CAPfop_0ovU9M791KB-BYHxQ0xM0RMTCyGkVBh5fQcniZ4N5b5Q@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Like Michal, I also dislike the hash/hmac based serialization approach. I
think some of the simpler serialization approaches discussed in this thread
work better, if we agree that a single serialization is necessary (I am
still not sure on that front). It feels more "webby" to have a human
readable serialization of the security principal instead of a HMAC.
Finally, as Dan's email points out, it doesn't look like the simpler
serialization should cause lots of issues.

Create a document.location.suborigin ? Then if it's undefined sites can


Received on Tuesday, 3 September 2013 23:22:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC