- From: Craig Francis <craig.francis@gmail.com>
- Date: Thu, 27 Aug 2015 18:48:21 +0100
- To: Erik Nygren <erik+w3@nygren.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-Id: <6DCECD4A-67D8-4A7B-820D-DBDC9C913351@gmail.com>
On 27 Aug 2015, at 18:22, Erik Nygren <erik+w3@nygren.org> wrote: > Content-Security-Policy: cookie-scope=origin Would part of this be covered with the First-Party-Only cookies suggestion? https://tools.ietf.org/html/draft-west-first-party-cookies-03 Which allows the scope to be set on a per cookie basis. As to blocking cookies on the parent domain, I'm not sure how easily that could be implemented in CSP... I like the idea though. On 27 Aug 2015, at 18:22, Erik Nygren <erik+w3@nygren.org> wrote: > I continue to run into cases where it would be extremely valuable to have a CSP policy that constrains cookie setting to an origin or host. It would be worthwhile to find some way to move this forwards. > > For example, to allow: > Content-Security-Policy: cookie-scope=origin > In particular, there is little that can be done today by a web server to prevent javascript from setting cookies on parent domains. (The only thing I'm aware of that helps for some clients is to add domains to the Public Suffix List.) > > Such a policy could also allow origins to enforce "Origin Cookie" semantics rather than the historically different semantics that apply to cookies. > > From previous discussion, other cookie scopes might also have value: > > https://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0046.html > > Best, Erik > > >
Received on Thursday, 27 August 2015 17:48:52 UTC