- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Wed, 24 Oct 2018 22:15:40 +0200
- To: mattrq@gmail.com
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Wednesday, 24 October 2018 20:16:15 UTC
On Wed, Oct 24, 2018 at 3:25 PM Matt Rosenquist <mattrq@gmail.com> wrote: > I would like to suggest a set of new directives for the content security > policy which would allow the site to limit access to cookies. What do you mean by "access to cookies"? Are you talking about scripted access to document.cookies, HTTP cookie headers, or both? Can you give concrete examples of security problems or concerns sites have today that this new control would resolve? What hacky workarounds are sites having to do to mitigate these problems in the meantime? What will sites have to do in a world where some browsers support this and some don't yet? Would these old hacky workarounds coexist with the CSP control so that sites don't have to choose between being unsafe in older browsers or broken content in newer browsers? > This may be is three forms (first being the most important): > - cookie-src (read/write) This is already the default web behavior so it would seem least important (just don't specify a cookie directive). -Dan Veditz
Received on Wednesday, 24 October 2018 20:16:15 UTC