On Wed, Feb 11, 2015 at 12:47 AM, Daniel Veditz <dved...@mozilla.com> wrote: > (2) The "Entry Point Regulation for Web Applications" deliverable seems >> >> to have serious risks of breaking the ability to link. It's not >> clear that the security benefits of this specification outweigh the >> risks to the abilities of Web users. > > The Working Group is also concerned that we not break the ability to do > links on the web. We have added that as an explicit requirement in the > charter. This work item is the most nebulous item in the charter. It has > some promising ideas that could help prevent CSRF type attacks; it might > also turn out to be completely unworkable and be dropped. We'd like it to be > in the charter so we can explore these concepts under the W3 IPR commitments > of the WG members.
Has the group looked at expanding the feature set of cookies to allow better CSRF protection? I.e. it seems like it would be useful to be able to set a cookie but declare that it should only be sent along with same-origin requests. Or even allow even more stringent requirements such as "only send with same-origin POST requests coming from pages under /foo/bar"? That seems like it could provide the same type of CSRF protection without breaking links. Is that something that would fit in this new charter? Another thing that would be very useful is page-specific or tab-specific cookies. So that websites like gmail could keep you logged in using different accounts in different tabs. Right now that essentially require the website to add a user identifier to the URL of all requests that are coming from a page, which is quite a demanding task. Note that I'm not talking about a UA feature which would allow the user to use different cookie jars in different tabs. That can already be built without any needed changes to the cookie spec. / Jonas _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
