W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: Serialized suborigins

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 12 Sep 2013 12:03:18 -0700
Message-ID: <CALx_OUAKtYUzCh21t0x0r8YyjkjnTfCjJF1ounBA4SAN-OQGGA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Joel Weinberger <jww@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hey,

Honestly, I'm a bit struggling to understand what's the key benefit of
doing suborigin://hashed-concat versus suborigin://non-hashed-concat -
in that both of these representations will not be literal string
matches for any existing origin if done sensibly (and using a literal
suborigin:// further alleviates most fears).

In either case, I think that keeping the communications between
origins simple and intuitive should be a goal for both approaches.
Perhaps base64 or rot13 is indeed a better idea.

I agree with Brad's concern about having to preserve protocol, perhaps
as a part of the hash.

/mz
Received on Thursday, 12 September 2013 19:04:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC