W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Henry Story <henry.story@co-operating.systems>
Date: Wed, 16 Sep 2015 19:45:01 +0100
Cc: Brad Hill <hillbrad@gmail.com>, Tony Arcieri <bascule@gmail.com>, Rigo Wenning <rigo@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, Mike O'Neill <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <2C367B9E-3003-4BC1-B9F8-298D1382A5AE@co-operating.systems>
To: Martin Thomson <martin.thomson@gmail.com>

> On 16 Sep 2015, at 18:54, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 16 September 2015 at 08:59, Henry Story
> <henry.story@co-operating.systems> wrote:
>> Cookies respect SOP by design
> 
> This is not correct.  Cookies are part of the legacy cruft of the HTTP
> protocol.  Just as application/x-form-data is
> (https://fetch.spec.whatwg.org/#dom-request step 8)

It's really difficult to infer from that Step 8 what you are trying to 
get at. Can you develop just a little bit?

Does that actually affect the point I was making? 

Henry
Received on Wednesday, 16 September 2015 18:45:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC