W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: SOP wiki was: A Somewhat Critical View of SOP (Same Origin Policy)

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Tue, 29 Sep 2015 21:24:20 +0000
To: Tony Arcieri <bascule@gmail.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <D2300FEB.30FE3%jehodges@paypalcorp.com>
On 9/29/15, 9:45 AM, "Tony Arcieri" <bascule@gmail.com<mailto:bascule@gmail.com>> wrote:

On Tue, Sep 29, 2015 at 11:40 AM, Brad Hill <hillbrad@gmail.com<mailto:hillbrad@gmail.com>> wrote:
Within the context of Web Origins, FIDO uses approximately the same scoping rules as cookies. That is to say, key scope must stay within a delegated label or its children and not cross delegation points identified by the public suffix list.  "www.example.com<http://www.example.com>" and "register.example.com<http://register.example.com>" can each set a cookie for "example.com<http://example.com>" which the other can see, but subdomains of "hosting.example.com<http://hosting.example.com>" cannot set cookies at or beyond that label if it is designated as a public suffix.  This provides some limited usability affordances within the existing information flow boundaries of the web security model while mostly that keys are scoped to a single logical organization as defined by domain registrars.

Huh, interesting, I wasn't aware of that.

that is what is explained in http://identitymeme.org/http-cookie-processing-algorithm-etlds/


=JeffH
Received on Tuesday, 29 September 2015 21:24:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC