- From: Brian Smith <brian@briansmith.org>
- Date: Thu, 6 Nov 2014 13:37:15 -0800
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> wrote: > I think this boils down to the question of whether `https://example.com/` is > the same origin as `https://example.com./`. It's not clear to me whether > that's the case. Chrome, at least, has separate storage areas for the two > hosts. I'm tempted to say that that's a good result, but I don't have a feel > for the implications. It seems Gecko also treats them as separate origins. So, I guess the currently-specified behavior may be OK. However, note that there are negative consequences to this, for example HSTS bypass [1]. Regardless of which way is considered correct, I think it would be useful to clarify this (e.g. with a non-normative example) because I can see people getting it wrong either way. Note that when it comes to certificate hostname matching, Chrome (for a while) and Firefox (as of recently) both treat "example.com." as equal to "example.com". Cheers, Brian [1] https://bugzilla.mozilla.org/show_bug.cgi?id=774769
Received on Thursday, 6 November 2014 21:37:42 UTC