- From: Mike West <mkwst@google.com>
- Date: Thu, 15 Jan 2015 12:34:19 +0100
- To: Brian Smith <brian@briansmith.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=fUuod0qstauCUpAN1Ha6WXv_DMT5XNHJpP7fbeSorh+Q@mail.gmail.com>
On Thu, Nov 6, 2014 at 10:37 PM, Brian Smith <brian@briansmith.org> wrote: > Mike West <mkwst@google.com> wrote: > > I think this boils down to the question of whether ` > https://example.com/` is > > the same origin as `https://example.com./`. It's not clear to me whether > > that's the case. Chrome, at least, has separate storage areas for the two > > hosts. I'm tempted to say that that's a good result, but I don't have a > feel > > for the implications. > > It seems Gecko also treats them as separate origins. So, I guess the > currently-specified behavior may be OK. However, note that there are > negative consequences to this, for example HSTS bypass [1]. > > Regardless of which way is considered correct, I think it would be > useful to clarify this (e.g. with a non-normative example) because I > can see people getting it wrong either way. > Based on the discussion here, I've added a note to the document: https://github.com/w3c/webappsec/commit/682b69cf4d73e47b155a2ddd778d4ed7fe0f04ae Thanks for raising this, Brian. Sorry it took so long for me to do anything about it. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 15 January 2015 11:35:07 UTC