- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Thu, 28 Jul 2016 16:13:50 +0100
- To: "'Anne van Kesteren'" <annevk@annevk.nl>
- Cc: "'Mike West'" <mkwst@google.com>, "'Brad Hill'" <hillbrad@gmail.com>, "'Patrick Toomey'" <patrick.toomey@github.com>, "'Joel Weinberger'" <jww@google.com>, "'Devdatta Akhawe'" <dev.akhawe@gmail.com>, "'WebAppSec WG'" <public-webappsec@w3.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Client says it can handle origin policies - Origin-Policy:1 (always or nothing if it cannot handle it) Server says Origin-Policy: hash (of latest policy indicated by this url and set of request headers including cookies) Client may have to load another version if its hash differs from any of the ones that have been pushed to it or it has requested explicitly, then applies that policy before loading the resource. When is it necessary to send anything other than 1? - -----Original Message----- From: Anne van Kesteren [mailto:annevk@annevk.nl] Sent: 28 July 2016 15:54 To: Mike O'Neill <michael.oneill@baycloud.com> Cc: Mike West <mkwst@google.com>; Brad Hill <hillbrad@gmail.com>; Patrick Toomey <patrick.toomey@github.com>; Joel Weinberger <jww@google.com>; Devdatta Akhawe <dev.akhawe@gmail.com>; WebAppSec WG <public-webappsec@w3.org> Subject: Re: [Proposal]: Set origin-wide policies via a manifest. On Thu, Jul 28, 2016 at 4:44 PM, Mike O'Neill <michael.oneill@baycloud.com> wrote: > OK, but you could extra info in them to check, the whole url if you had to. What does an infinitely variable Origin-Policy response bring to the table, that cannot be done using existing APIs? I'm not sure what you mean here. As I understand it these are the requirements: * Client needs to advertize support * Client needs to advertize what policy it has, if anything * Server needs to advertize support * Server needs to advertize the latest policy There's various ways to accomplish this, tradeoffs have been discussed on this thread. Nothing like this can be done through existing APIs, since it requires infrastructure changes. - -- https://annevankesteren.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using gpg4o v3.5.54.6734 - http://www.gpg4o.com/ Charset: utf-8 iQIcBAEBAgAGBQJXmiEuAAoJEOX5SQClVeMPnFIP/3kItriV9TbPGXkmQEYnVIVy FLkXeRWbWBAOOeFe4Vipr2xnH+t79cK/FyGNH1wLTT6GCwsyHX3T3QwNmq4HbakL YaUtcgJheA2MIbvSw4hcjGuKxztUKCTcZGCv93rQwbULzfkWczbMNMn/hcpg3ez2 Fk15sJLxvcrPC/WMv/U2YeMgsE7k/yRuZFDulFb9QTVNjp62wqhpZMac2FRywih5 QK5dvWREhNLuJmwsXkOqyMj0ZbLOUxRmd0F95VTo3PNPzeOGRwdEbuEan7WYlmzg 1rBJHa1XsKlWgpHivRj1517jEXw+5kczobL47lPx0/DsYBHEBtuzevv/8VkWXc4U Mn+/7CmxhFnIcIZpWqApN4u3m2aLIfTIV/AsTeH47BDAiMmiAbd9HsICilSi+nBD RFxBcoDGHFHudEinbA/wy4eWh9T7y0wdDWqdfa+g/sCdD0iuG5ZeyNXvgKIussZ3 NjR5AKJ/U3jaPXxRlXLuaQ1yu9cVbfXdTrXN/0LGGd2HxeHmA7zZOQEUcpWQf3P8 Sm9F2AdbiZ7XtwCz/CTZUwnFF4DpJoBjhWPYwEUbnnbUMz3u794382QgRsNvtg5N BITKRTqmmHmPjJEiWaWLh3Qs50OaQ3Wkq2iSfBztMT4NsJJnqSwdmeBkaVqXvF7B VX93hExZ0Pz3hLaA961E =+3aw -----END PGP SIGNATURE-----
Received on Thursday, 28 July 2016 15:14:26 UTC