- From: Deian Stefan <deian@intrinsic.com>
- Date: Tue, 18 Apr 2017 20:21:56 -0700
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Aleksandr Dobkin <dobkin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Apr 18, 2017 at 8:10 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > My recollection of why we have suborigin serialization is that origins > as strings do tend to pop up in many places. @joel can correct me but > I believe it also made some things on the browser side easier. I don't > recall us (as in Dropbox) needing the serialization in particular: if > postMessage and CORS provides the suborigin, we should mostly be good. Yeah, that came up in my conversation with Joe as well. It seemed like internally, the serialization makes it easier to not forget a place to check suborigins where origins are checked. If the implementation without serialization is not too much more complicated I'd +1 that we can make it easy for us to piggyback the cowl label checks. -deian
Received on Wednesday, 19 April 2017 03:22:29 UTC