W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Origin-scoped cache/cookie/storage context

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 10 Jan 2014 11:13:35 +0000
Message-ID: <CADnb78gSwJcf29mQ5KfzUTi3n7vz1aXjoKBDeJE4+tg3bDS51g@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Nasko Oskov <nasko@google.com>, WebAppSec WG <public-webappsec@w3.org>, TAG <www-tag@w3.org>
On Fri, Jan 10, 2014 at 9:20 AM, Mike West <mkwst@google.com> wrote:
> I like the concept very much. I'm unclear as to the practical implementation
> you're proposing. How do sites opt-in to this sort of treatment? How do you
> determine when a site ought to get credentials and when it shouldn't?

I would expect opt-in to be similar to HSTS. Once done, the browser
will remember that the given origin wants to be partitioned. And only
if that origin is navigated to is its associated context (such as
cookies and cache) available.

It's not entirely clear if in different contexts (when something else
is navigated to) isolated origins should be given special treatment.

This came out of a discussion we had about hosted apps and similar
experiments and how they are different from the web you browse and
whether we should make that into something you can opt into. (I hope
this addresses Henri's question too.)

Received on Friday, 10 January 2014 11:14:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:36 UTC