- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 9 Jun 2016 11:35:56 +0200
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Jeffrey Yasskin <jyasskin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jan-Ivar Bruaroey <jib@mozilla.com>, Ilya Grigorik <igrigorik@google.com>, Raymes Khoury <raymes@google.com>, Harald Alvestrand <hta@google.com>, Mounir Lamouri <mlamouri@google.com>, Martin Thomson <mt@mozilla.com>, Marcos Caceres <marcos@marcosc.com>, Wendy Seltzer <wseltzer@w3.org>, "Cindy (Xiaoqian) Wu" <xiaoqian@w3.org>
On Wed, Jun 8, 2016 at 8:17 PM, Brad Hill <hillbrad@gmail.com> wrote: > If you missed the call and are interested, I took minutes, available at: > > http://www.w3.org/2016/06/08-webappsec-minutes.html What Martin says there about Firefox and origins is inaccurate I believe. We changed the permission manager last year to be origin-bound: https://bugzilla.mozilla.org/show_bug.cgi?id=1165263. (Now revocations might well go the eTLD route, not sure, and that might even make sense, but that seems more like a UX-issue whether you treat www.google.com and mail.google.com as equivalent from a UX perspective. There's a similar problem there when clearing storage. If that would affect just the origin, cookies can be used to revive it. I'd really like a clear set of principles for those questions, but it seems like it will require more research.) -- https://annevankesteren.nl/
Received on Thursday, 9 June 2016 09:36:23 UTC