W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: Adding cookie scope to CSP

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 10 Sep 2013 15:58:52 +0100
Message-ID: <CADnb78i=zcCzO7Xa7msyXPxKzBgqBdeHR8w15oiiM9nKsH5g+g@mail.gmail.com>
To: Alex Russell <slightlyoff@google.com>
Cc: "Nottingham, Mark" <mnotting@akamai.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Sep 10, 2013 at 3:34 PM, Alex Russell <slightlyoff@google.com> wrote:
> Cookies have sub-origin scoping.via the Path attribute. It might be useful
> to be able to further restrict the ability of script in a page to access/set
> cookies that are "below" some path.

I'm not sure what this means. The path attribute offers no actual
protection and definitely does not provide origin-scoping. It's at
best a convenience feature.

Received on Tuesday, 10 September 2013 14:59:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC