- From: Erik Nygren <erik+w3@nygren.org>
- Date: Thu, 27 Aug 2015 13:22:29 -0400
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Thursday, 27 August 2015 17:22:56 UTC
I continue to run into cases where it would be extremely valuable to have a
CSP policy that constrains cookie setting to an origin or host. It would
be worthwhile to find some way to move this forwards.
For example, to allow:
Content-Security-Policy: cookie-scope=origin
In particular, there is little that can be done today by a web server to
prevent javascript from setting cookies on parent domains. (The only thing
I'm aware of that helps for some clients is to add domains to the Public
Suffix List.)
Such a policy could also allow origins to enforce "Origin Cookie" semantics
rather than the historically different semantics that apply to cookies.
>From previous discussion, other cookie scopes might also have value:
https://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0046.html
Best, Erik
Received on Thursday, 27 August 2015 17:22:56 UTC