W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2017

Re: [suborigins] serializing of origins

From: Deian Stefan <deian@intrinsic.com>
Date: Tue, 18 Apr 2017 20:21:56 -0700
Message-ID: <CAGZQNO4+zoOUcgJf8UXoQTRcEr2SJJ6SEv0uuszOLG3Q+48tYA@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Aleksandr Dobkin <dobkin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Apr 18, 2017 at 8:10 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> My recollection of why we have suborigin serialization is that origins
> as strings do tend to pop up in many places. @joel can correct me but
> I believe it also made some things on the browser side easier. I don't
> recall us (as in Dropbox) needing the serialization in particular: if
> postMessage and CORS provides the suborigin, we should mostly be good.

Yeah, that came up in my conversation with Joe as well. It seemed like
internally,
the serialization makes it easier to not forget a place to check
suborigins where
origins are checked. If the implementation without serialization is
not too much more
complicated I'd +1 that we can make it easy for us to piggyback the
cowl label checks.

-deian
Received on Wednesday, 19 April 2017 03:22:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC