W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

Re: Proposal: a "clear site data" API.

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 12 Jun 2015 10:49:17 -0700
Message-ID: <CABkgnnXtNopW-_3fWBxjzxGOh5mMiVAXgtoVzX2T-KMZGaNnGw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Richard Barnes <rbarnes@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Tanvi Vyas <tanvi@mozilla.com>, Jake Archibald <jakearchibald@google.com>, Alex Russell <slightlyoff@google.com>, Jonas Sicking <jonas@sicking.cc>
On 12 June 2015 at 09:41, Mike West <mkwst@google.com> wrote:
> The spec does currently require HTTPS. I'm not sure we could reasonably
> relax that, for exactly the reasons you point to. It sounds like exactly the
> kind of API for which we'd want to require an authenticated and encrypted
> connection.

I actually think that having this on cleartext connections is a
benefit.  Unless there is persistent data that somehow prevents other
persistence from happening.  I'm not aware of any such feature.

Elsewhere, Henri Sivonen suggested that we make cookies on cleartext
origins less persistent by default.  This is seems consistent with
that philosophy.
Received on Friday, 12 June 2015 17:49:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC