W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: Adding cookie scope to CSP

From: Trevor Perrin <trevp@trevp.net>
Date: Fri, 13 Sep 2013 16:57:13 -0700
Message-ID: <CAGZ8ZG2XGmySQb6HVNqOhkh4Wy7D9-MmyyYwDxZpeK-_hJQq4Q@mail.gmail.com>
To: "Nottingham, Mark" <mnotting@akamai.com>
Cc: Tobias Gondrom <tobias.gondrom@gondrom.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Sep 13, 2013 at 4:47 PM, Nottingham, Mark <mnotting@akamai.com> wrote:
> I don't see how CSP is competitive to those more ambitious approaches.

They would (hopefully!) solve the problem your CSP proposal is trying
to solve, but solve it in a broader way so cookies are protected
whether they are read/written via Javascript *or* HTTP headers.


Trevor
Received on Friday, 13 September 2013 23:57:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC