Hello, the draft states the following as an example: >To address this, the developers decide to serve both applications on two separate suborigins. For all HTTP requests to any subpath of /chat or /shopping, example.com includes a header suborigin: chat or suborigin: shopping, respectively. I have a hard time understanding this example. Example: I have /foo that serve different content and is public. /foo don't require any cookies because it's public. However, my / does require cookies as authentication. If an attacker finds XSS on /foo, will the attacker have the possibility to read cookies that are used as authentication on / if the header "suborigin: foo" is sent only on the /foo subpath? Regards, ChloeReceived on Tuesday, 21 June 2016 09:31:19 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC