Hacker News new | ask | show | jobs
by hrjet 4531 days ago
That could be also implemented in my proposed fix by example.com setting the auth cookies. They will continue to be readable by store.example.com.

Sure, it will require a change on the server side, which is a pain. But I can't think of a practical scenario which will be impossible to implement with the proposed fix.
1 comments
gfodor 4531 days ago
Your idea would likely break any site on the internet that uses authentication and subdomins, isn't it clear why this isn't being considered?
link
zaroth 4531 days ago
Or sites could opt-in to this with a header?

EDIT: homakov says the same thing down thread.

link
hrjet 4531 days ago
Yes, it is backwards incompatible. Perhaps it could be enforced in HTTP 2?
link