W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

[suborigins] Understanding the syntax

From: chloe <chloe@chloe.re>
Date: Mon, 20 Jun 2016 09:23:03 +0000
To: public-webappsec@w3.org
Message-ID: <1c65430c-06b5-8427-006f-73a7e6bd7fe7@chloe.re>

the draft states the following as an example:

>To address this, the developers decide to serve both applications on
two separate suborigins. For all HTTP requests to any subpath of /chat
or /shopping, example.com includes a header suborigin: chat or
suborigin: shopping, respectively.

I have a hard time understanding this example.

Example: I have /foo that serve different content and is public. /foo
don't require any cookies because it's public. However, my / does
require cookies as authentication. If an attacker finds XSS on /foo,
will the attacker have the possibility to read cookies that are used as
authentication on / if the header "suborigin: foo" is sent only on the
/foo subpath?


Received on Tuesday, 21 June 2016 09:31:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC