- From: Richard Barnes <rbarnes@mozilla.com>
- Date: Thu, 28 Jul 2016 18:12:34 -0400
- To: Jeff Hodges <jeff.hodges@kingsmountain.com>
- Cc: W3C WebAuthn WG <public-webauthn@w3.org>
- Message-ID: <CAOAcki_Zo=k3PCgBAdBzBWjPf1_b6rD2fcLfTMZGnf90aGNavg@mail.gmail.com>
On Thu, Jul 28, 2016 at 6:06 PM, <jeff.hodges@kingsmountain.com> wrote: > > Quoting Richard Barnes <rbarnes@mozilla.com>: > >> >> ... this spec ... is dependent on the Public Suffix List (via eTLD+1), a >> technology that we are trying hard to deprecate. >> > > hm, by "we" do you mean browser vendors? Or other parties? Or other > parties possibly including browser vendors? > > If browser vendors are trying hard to deprecate the Cookie Same Origin > Policy's dependence upon the eTLD+1 notion and its manifestation as the > so-called Public Suffix List, it'd be great if you could point to or share > information regarding such. > See, e.g.: https://datatracker.ietf.org/wg/dbound/charter/ (developing PSL alternatives) https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2 (removing the PSL dependency from cookies) https://github.com/w3c/webappsec-secure-contexts/issues/10 (forbidding document.domain usage, which requires the PSL, with [SecureContext]) "Trying hard" might be an overstatement. Cookies and document.domain have too much usage to be able to make much change very quickly. But it certainly seems to me that the general wisdom right now is that when we have relied on the PSL in the past, it has had bad repercussions, and we shouldn't do it again. --Richard > > thanks, > > =JeffH > > > >
Received on Thursday, 28 July 2016 22:13:11 UTC