Re: Origin-scoped cache/cookie/storage context

On Tue, Jan 14, 2014 at 6:46 PM, Nasko Oskov <> wrote:
> In a pop-up window, the navigation is actually top level. The reason for it
> not working though is that windows with synchronous scripting relationships
> must stay in the same renderer process, hence they cannot use different
> storage partitions. This causes the user to have to login in a pop-up for
> each isolated origin, which defeats the purpose of origin isolation.

Could we isolate these similar to <iframe>? Perhaps with a new API?

> While a[t] this, I should mention that we do not isolate on the basis of
> origins, rather on the concept of "site". It includes the scheme and the
> registered domain name, so relaxing origin through document.domain is not
> broken. It excludes subdomains and port numbers.

It seems that if a site opts into this better security model, we could
go and disable document.domain...


Received on Wednesday, 15 January 2014 09:23:28 UTC