W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2017

Re: Single Trust and Same-Origin Policy v2

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 27 Mar 2017 13:49:28 -0700
Message-ID: <CADYDTCDi7+4UjsKVi6=o3mXQpSsh2iMyxx9SZZM_Ek+yz6LH7w@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: John Wilander <wilander@apple.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Mar 27, 2017 at 2:49 AM, Mike West <mkwst@google.com> wrote:

> If single trust gives real advantage to developers, I worry that it will
> simply devolve into delegating a set of subdomains to a third-party (`
> ads.example.com`, `provider1.ads.example.com`, `provider2.ads.example.com`,
> and so on). Given revenue concerns, the slope doesn't seem that slippery. :)
>

‚ÄčThat is exactly how we ended up with document.domain, or maybe
document.domain came first and thirdparty.netscape.com followed immediately
after. At the very least it will require mutual opt-in (as we learned with
document.domain) and even then seems problematic.

-Dan Veditz
Received on Monday, 27 March 2017 20:50:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC