- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Thu, 28 Jul 2016 15:44:05 +0100
- To: "'Anne van Kesteren'" <annevk@annevk.nl>
- Cc: "'Mike West'" <mkwst@google.com>, "'Brad Hill'" <hillbrad@gmail.com>, "'Patrick Toomey'" <patrick.toomey@github.com>, "'Joel Weinberger'" <jww@google.com>, "'Devdatta Akhawe'" <dev.akhawe@gmail.com>, "'WebAppSec WG'" <public-webappsec@w3.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, but you could extra info in them to check, the whole url if you had to. What does an infinitely variable Origin-Policy response bring to the table, that cannot be done using existing APIs? - -----Original Message----- From: Anne van Kesteren [mailto:annevk@annevk.nl] Sent: 28 July 2016 15:35 To: Mike O'Neill <michael.oneill@baycloud.com> Cc: Mike West <mkwst@google.com>; Brad Hill <hillbrad@gmail.com>; Patrick Toomey <patrick.toomey@github.com>; Joel Weinberger <jww@google.com>; Devdatta Akhawe <dev.akhawe@gmail.com>; WebAppSec WG <public-webappsec@w3.org> Subject: Re: [Proposal]: Set origin-wide policies via a manifest. On Thu, Jul 28, 2016 at 4:23 PM, Mike O'Neill <michael.oneill@baycloud.com> wrote: > The point I was making about cookies is that it up to the server, it can get the policy from the Origin-Policy header or the Cookie header, it makes no difference to it. Why add another mechanism for sending UIDs if it is not necessary? Cookies are not origin-scoped. > The reason using cookies is better is because there is already UI than shows them on a per origin basis. There are also browser extensions e.g. PrivacyBadger that manages them to give the user better privacy. They might not look themselves (I admit I am a bit different in that regard), but plenty people worry about privacy i.e. automated decisions made about them beyond their ken, so install an extension or use a more privacy oriented UA. That UI is way too complicated. UAs should group storage-related information in the UI as advocated by https://storage.spec.whatwg.org/. > Of course the spec could require Origin-Policy headers to be covered by all the rules on cookies including the extension APIs but why go to all that bother? It's not a lot of bother, we do it for lots of things. And cookies have bad semantics as they're not origin-scoped. - -- https://annevankesteren.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using gpg4o v3.5.54.6734 - http://www.gpg4o.com/ Charset: utf-8 iQIcBAEBAgAGBQJXmho0AAoJEOX5SQClVeMPeHsP/142fJm958BFva/lkGf0FlpK eSAQWTJ6lzMad1fus0anOe7MJeR992+nXXmOJzTwlDR+yMoBTQTHpYBysReYUDqZ yYG5urXDEgB1nl/ggJkjpAytNk+ZkOlx2zPimaNKYyfDNpCDIFA/A8tTD/+Xydn7 vaLi6A1IhxoiKfyl6imgxwqDO8TZOF03B93Ej+YWleZinZSGUWqrOg+iM2jRGsfd 4In7gzVihxNnzGsodqe3WftCgdEx7ov/KPf+HmmRueTrn7AeETW7gscR0SHupLbR p55YVnPaPVToFGTlFv4z6ARhhQ2kpgqYUWBtZ3QgAOCaE0ZgrHQfAcgAw4SY4yH3 A+xaFOqdD59ydEU1fNlmMBWI/9Vr/Igil/tMDDw8cSGGCo3IyBgMB/+pmljgR4Iv 87v/cELcWJZzgnUZ7H0o7ktBoVsRPIezAir9K6Xr9ZqGbXC+n/9mEsdhs2qwZ9pc P5+ttotPXR0AdpSjE+pF3EvEWgjN3xMmw+dNAl9Ho0XXP1PkWgFBPr8HehJx2fGr zRRJYLlksfIDt/BV5ONdNLPlBYwAqc3FruTYPRXlF7A/FTYV+VbdQ9ShTGrnInF8 iXyfzV3SFSM9sm6b/SPxoa41mxozuNHYUlhA7Bc6uc7xrgzrQ/JITGFKeuBHnilo HyhaimuRPKzIiRcuo6Qj =9901 -----END PGP SIGNATURE-----
Received on Thursday, 28 July 2016 14:44:40 UTC