W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

Re: [suborigins] Understanding the syntax

From: Mike West <mkwst@google.com>
Date: Tue, 21 Jun 2016 12:42:14 +0200
Message-ID: <CAKXHy=cHRQbvRSCyHT1F2UZCAdoqFFkOzskED1ueVg7anf3aLw@mail.gmail.com>
To: chloe <chloe@chloe.re>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev@dropbox.com>, Joel Weinberger <jww@google.com>
+Dev and Joel (though the latter is out of office for the next ~month).


On Mon, Jun 20, 2016 at 11:23 AM, chloe <chloe@chloe.re> wrote:

> Hello,
> the draft states the following as an example:
> >To address this, the developers decide to serve both applications on
> two separate suborigins. For all HTTP requests to any subpath of /chat
> or /shopping, example.com includes a header suborigin: chat or
> suborigin: shopping, respectively.
> I have a hard time understanding this example.
> Example: I have /foo that serve different content and is public. /foo
> don't require any cookies because it's public. However, my / does
> require cookies as authentication. If an attacker finds XSS on /foo,
> will the attacker have the possibility to read cookies that are used as
> authentication on / if the header "suborigin: foo" is sent only on the
> /foo subpath?
> Regards,
> Chloe
Received on Tuesday, 21 June 2016 10:43:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC