- From: Mike West <mkwst@google.com>
- Date: Fri, 28 Aug 2015 07:02:18 +0200
- To: Erik Nygren <erik+w3@nygren.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=faqNwty_8pqCpKsrcxJAJBmbK=9H+Dpw66BpQnF1BuZA@mail.gmail.com>
On Thu, Aug 27, 2015 at 7:22 PM, Erik Nygren <erik+w3@nygren.org> wrote: > > From previous discussion, other cookie scopes might also have value: > > > https://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0046.html > Ah, September 2013. One of the several times at which I thought that CSP2 was done and ready to ship. How absurd and naïve in hindsight. I didn't do a good job driving things to completion, as is likely quite obvious from the 2-year gap between then and now. I still like mnot's proposal, and I think it does indeed address the concerns of folks like sandstorm.io. I intend to add something like it to CSP3. I'm not sure that the extensions proposed (path, etc) are useful, and tend towards thinking that we should avoid improving support for the cookie properties that don't mesh well with web origins. Relatedly, we'll likely also want something to control `document.domain`. It's possible, in fact, that these two things are really the same. That is, anyone who would want to lock `document.cookie` to the current host would likely also want to lock `document.domain`. We could certainly add separate syntax for this if desired, but combining them seems like it might be reasonable. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 28 August 2015 05:03:06 UTC