W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

RE: [Proposal]: Set origin-wide policies via a manifest.

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 28 Jul 2016 15:44:05 +0100
To: "'Anne van Kesteren'" <annevk@annevk.nl>
Cc: "'Mike West'" <mkwst@google.com>, "'Brad Hill'" <hillbrad@gmail.com>, "'Patrick Toomey'" <patrick.toomey@github.com>, "'Joel Weinberger'" <jww@google.com>, "'Devdatta Akhawe'" <dev.akhawe@gmail.com>, "'WebAppSec WG'" <public-webappsec@w3.org>
Message-ID: <3e6601d1e8de$7dcbb160$79631420$@baycloud.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, but you could extra info in them to check, the whole url if you had to. What does an infinitely variable Origin-Policy response bring to the table, that cannot be done using existing APIs?

- -----Original Message-----
From: Anne van Kesteren [mailto:annevk@annevk.nl] 
Sent: 28 July 2016 15:35
To: Mike O'Neill <michael.oneill@baycloud.com>
Cc: Mike West <mkwst@google.com>; Brad Hill <hillbrad@gmail.com>; Patrick Toomey <patrick.toomey@github.com>; Joel Weinberger <jww@google.com>; Devdatta Akhawe <dev.akhawe@gmail.com>; WebAppSec WG <public-webappsec@w3.org>
Subject: Re: [Proposal]: Set origin-wide policies via a manifest.

On Thu, Jul 28, 2016 at 4:23 PM, Mike O'Neill
<michael.oneill@baycloud.com> wrote:
> The point I was making about cookies is that it up to the server, it can get the policy from the Origin-Policy header or the Cookie header, it makes no difference to it. Why add another mechanism for sending UIDs if it is not necessary?

Cookies are not origin-scoped.


> The reason using cookies is better is because there is already UI than shows them on a per origin basis. There are also browser extensions e.g. PrivacyBadger that manages them to give the user better privacy. They might not look themselves (I admit I am a bit different in that regard), but plenty people worry about privacy i.e. automated decisions made about them beyond their ken, so install an extension or use a more privacy oriented UA.

That UI is way too complicated. UAs should group storage-related
information in the UI as advocated by
https://storage.spec.whatwg.org/.


> Of course the spec could require Origin-Policy headers to be covered by all the rules on cookies including the extension APIs but why go to all that bother?

It's not a lot of bother, we do it for lots of things. And cookies
have bad semantics as they're not origin-scoped.


- -- 
https://annevankesteren.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using gpg4o v3.5.54.6734 - http://www.gpg4o.com/
Charset: utf-8

iQIcBAEBAgAGBQJXmho0AAoJEOX5SQClVeMPeHsP/142fJm958BFva/lkGf0FlpK
eSAQWTJ6lzMad1fus0anOe7MJeR992+nXXmOJzTwlDR+yMoBTQTHpYBysReYUDqZ
yYG5urXDEgB1nl/ggJkjpAytNk+ZkOlx2zPimaNKYyfDNpCDIFA/A8tTD/+Xydn7
vaLi6A1IhxoiKfyl6imgxwqDO8TZOF03B93Ej+YWleZinZSGUWqrOg+iM2jRGsfd
4In7gzVihxNnzGsodqe3WftCgdEx7ov/KPf+HmmRueTrn7AeETW7gscR0SHupLbR
p55YVnPaPVToFGTlFv4z6ARhhQ2kpgqYUWBtZ3QgAOCaE0ZgrHQfAcgAw4SY4yH3
A+xaFOqdD59ydEU1fNlmMBWI/9Vr/Igil/tMDDw8cSGGCo3IyBgMB/+pmljgR4Iv
87v/cELcWJZzgnUZ7H0o7ktBoVsRPIezAir9K6Xr9ZqGbXC+n/9mEsdhs2qwZ9pc
P5+ttotPXR0AdpSjE+pF3EvEWgjN3xMmw+dNAl9Ho0XXP1PkWgFBPr8HehJx2fGr
zRRJYLlksfIDt/BV5ONdNLPlBYwAqc3FruTYPRXlF7A/FTYV+VbdQ9ShTGrnInF8
iXyfzV3SFSM9sm6b/SPxoa41mxozuNHYUlhA7Bc6uc7xrgzrQ/JITGFKeuBHnilo
HyhaimuRPKzIiRcuo6Qj
=9901
-----END PGP SIGNATURE-----
Received on Thursday, 28 July 2016 14:44:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC