- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 17 Apr 2015 23:00:41 -0700
- To: Mike West <mkwst@google.com>
- Cc: Brian Smith <brian@briansmith.org>, Alex Russell <slightlyoff@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>
- Message-ID: <CADYDTCA2KPQ+_92HQ1orhomZ7goAvu0+ruXHETNrvBaGrsZcpw@mail.gmail.com>
On Thu, Feb 12, 2015 at 12:04 AM, Mike West <mkwst@google.com> wrote: > I'd justify crossing the origin boundary here by noting that > subdomains can act as their parent domains via `document.domain`, Only if the parent domain explicitly opts in by setting document.domain itself--this is the reason for the mysterious "document.domain = document.domain;" code in some old sites. Any site still doing that is opening itself up to abuse by any of its subdomains. document.domain is a botch we've regretted for at least 15 years[*]; we should kill it, not emulate it. [*] https://bugzilla.mozilla.org/show_bug.cgi?id=149943#c4 cookies cross the origin/host boundary with abandon. Another 90s decision we suffer with to this day. Given that we > > wish to protect against abuse of both, allowing explicitly pinned > > policies to take effect over that boundary > > seems reasonable. > If these are the only reasons to propagate a CSP-pin to subdomains I'd be more comfortable if we invented mechanisms to address those concerns that didn't require includeSubdomains. For example, we could have a no-document-domain directive in the pinned CSP for the parent site, and a host-only-cookies directive (essentially allow the parent to declare itself a "public suffix"). > >> > Publishing a > WD to widen the net seems like a good way of determining > >> > whether or not this > kind of thing has legs. > > > > I don't know how the working group works, exactly. My expectation is > > that the "determining whether or not this kind of thing has legs" step > > should occur before adoption of the thing as a work item. > Within the working group we decided a feature seemed likely to provide a solution to a real problem before accepting it as a work item. "Widening the net" means the notice of people outside the circle of this small working group, from whence we might get additional feedback that changes our opinion on the usefulness of the spec or helps give it a better shape. - Dan Veditz
Received on Saturday, 18 April 2015 06:01:09 UTC