|
|
|
|
|
|
by emily37
4884 days ago
|
|
|
Related: Mozilla's sameDomain proposal https://bugzilla.mozilla.org/show_bug.cgi?id=795346 Some research browser architectures like Atlantis (http://research.microsoft.com/pubs/154698/Atlantis-SOSP.pdf) go the opposite extreme, where cookies are never sent unless their domain matches the initiating origin. In the case of Atlantis, the reason they have to go this route is somewhat messy: their microkernel architecture exposes a network interface to webpages, and the network interface has no way to differentiate between a request initiated by XHR or by an img/script/etc., so the network interface cannot send cookies with any cross-origin requests, or else it risks exposing private data via XHR. I wonder if it would be useful to see something more flexible than the current standard, sameDomain, or disallowing all cross-origin cookies. When you set a cookie, maybe it would be nice to be able to specify which origins are authorized to send requests with that cookie. |
|
|