W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

Re: [Proposal]: Set origin-wide policies via a manifest.

From: Mike West <mkwst@google.com>
Date: Tue, 26 Jul 2016 19:52:14 +0200
Message-ID: <CAKXHy=fD1zMU3gGyiSvG2CR07CFhq_gCAON1fpwd47ikw76qDA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "Mike O'Neill" <michael.oneill@baycloud.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Jul 26, 2016 at 7:41 PM, Brad Hill <hillbrad@gmail.com> wrote:

> I think there will likely be many versions over time, or customized to
> specific user agents, as part of A/B tests, etc.  I like the idea of
> versioning it with the hash, or an etag type mechanism; it seems there is
> no need for an arbitrary, human-readable string.
>
> Will there be distinctions on use of this in first-party vs third-party
> contexts (hello, Safari team) as it is a cookie equivalent?  That does
> complicate the operational model a bit for iframed application components,
> but not too badly.
>

Ah, that I didn't consider. Yes, if we broadcast the ID back to the origin
server, we'd need to treat it like a cookie for all the ways in which a
cookie can be controlled in a user agent. Basically, if you can't set
cookies for a request, you also can't have origin policy for the request.

I'll add some text.

-mike
Received on Tuesday, 26 July 2016 17:53:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC