W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

RE: [Proposal]: Set origin-wide policies via a manifest.

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 28 Jul 2016 16:13:50 +0100
To: "'Anne van Kesteren'" <annevk@annevk.nl>
Cc: "'Mike West'" <mkwst@google.com>, "'Brad Hill'" <hillbrad@gmail.com>, "'Patrick Toomey'" <patrick.toomey@github.com>, "'Joel Weinberger'" <jww@google.com>, "'Devdatta Akhawe'" <dev.akhawe@gmail.com>, "'WebAppSec WG'" <public-webappsec@w3.org>
Message-ID: <3ea501d1e8e2$a61482b0$f23d8810$@baycloud.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Client says it can handle origin policies -  Origin-Policy:1 (always or nothing if it cannot handle it)
Server says Origin-Policy: hash (of latest policy indicated by this url and set of request headers including cookies)
Client may have to load another version if its hash differs from any of the ones that have been pushed to it or it has requested explicitly, then applies that policy before loading the resource.

When is it necessary to send anything other than 1?




- -----Original Message-----
From: Anne van Kesteren [mailto:annevk@annevk.nl] 
Sent: 28 July 2016 15:54
To: Mike O'Neill <michael.oneill@baycloud.com>
Cc: Mike West <mkwst@google.com>; Brad Hill <hillbrad@gmail.com>; Patrick Toomey <patrick.toomey@github.com>; Joel Weinberger <jww@google.com>; Devdatta Akhawe <dev.akhawe@gmail.com>; WebAppSec WG <public-webappsec@w3.org>
Subject: Re: [Proposal]: Set origin-wide policies via a manifest.

On Thu, Jul 28, 2016 at 4:44 PM, Mike O'Neill
<michael.oneill@baycloud.com> wrote:
> OK, but you could extra info in them to check, the whole url if you had to. What does an infinitely variable Origin-Policy response bring to the table, that cannot be done using existing APIs?

I'm not sure what you mean here. As I understand it these are the requirements:

* Client needs to advertize support
* Client needs to advertize what policy it has, if anything
* Server needs to advertize support
* Server needs to advertize the latest policy

There's various ways to accomplish this, tradeoffs have been discussed
on this thread. Nothing like this can be done through existing APIs,
since it requires infrastructure changes.


- -- 
https://annevankesteren.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using gpg4o v3.5.54.6734 - http://www.gpg4o.com/
Charset: utf-8

iQIcBAEBAgAGBQJXmiEuAAoJEOX5SQClVeMPnFIP/3kItriV9TbPGXkmQEYnVIVy
FLkXeRWbWBAOOeFe4Vipr2xnH+t79cK/FyGNH1wLTT6GCwsyHX3T3QwNmq4HbakL
YaUtcgJheA2MIbvSw4hcjGuKxztUKCTcZGCv93rQwbULzfkWczbMNMn/hcpg3ez2
Fk15sJLxvcrPC/WMv/U2YeMgsE7k/yRuZFDulFb9QTVNjp62wqhpZMac2FRywih5
QK5dvWREhNLuJmwsXkOqyMj0ZbLOUxRmd0F95VTo3PNPzeOGRwdEbuEan7WYlmzg
1rBJHa1XsKlWgpHivRj1517jEXw+5kczobL47lPx0/DsYBHEBtuzevv/8VkWXc4U
Mn+/7CmxhFnIcIZpWqApN4u3m2aLIfTIV/AsTeH47BDAiMmiAbd9HsICilSi+nBD
RFxBcoDGHFHudEinbA/wy4eWh9T7y0wdDWqdfa+g/sCdD0iuG5ZeyNXvgKIussZ3
NjR5AKJ/U3jaPXxRlXLuaQ1yu9cVbfXdTrXN/0LGGd2HxeHmA7zZOQEUcpWQf3P8
Sm9F2AdbiZ7XtwCz/CTZUwnFF4DpJoBjhWPYwEUbnnbUMz3u794382QgRsNvtg5N
BITKRTqmmHmPjJEiWaWLh3Qs50OaQ3Wkq2iSfBztMT4NsJJnqSwdmeBkaVqXvF7B
VX93hExZ0Pz3hLaA961E
=+3aw
-----END PGP SIGNATURE-----
Received on Thursday, 28 July 2016 15:14:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC