W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

Re: [Proposal]: Set origin-wide policies via a manifest.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 28 Jul 2016 16:53:51 +0200
Message-ID: <CADnb78hsb6BDg0m9WEzFLLriQGH6un-O0=Li80UvuFjtp8Omvg@mail.gmail.com>
To: "Mike O'Neill" <michael.oneill@baycloud.com>
Cc: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>, Patrick Toomey <patrick.toomey@github.com>, Joel Weinberger <jww@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Thu, Jul 28, 2016 at 4:44 PM, Mike O'Neill
<michael.oneill@baycloud.com> wrote:
> OK, but you could extra info in them to check, the whole url if you had to. What does an infinitely variable Origin-Policy response bring to the table, that cannot be done using existing APIs?

I'm not sure what you mean here. As I understand it these are the requirements:

* Client needs to advertize support
* Client needs to advertize what policy it has, if anything
* Server needs to advertize support
* Server needs to advertize the latest policy

There's various ways to accomplish this, tradeoffs have been discussed
on this thread. Nothing like this can be done through existing APIs,
since it requires infrastructure changes.

Received on Thursday, 28 July 2016 14:54:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC