On Wed, Feb 11, 2015 at 10:52 AM, Anne van Kesteren <[email protected]> wrote:
> On Wed, Feb 11, 2015 at 10:42 AM, Jonas Sicking <[email protected]> wrote: > > Has the group looked at expanding the feature set of cookies to allow > > better CSRF protection? > This doesn't seem like a good fit for WebAppSec. Various IETF groups have generally been responsible for cookies. > Mike has: > > > https://mikewest.github.io/internetdrafts/origin-cookies/draft-west-origin-cookies-00.html > > https://mikewest.github.io/internetdrafts/first-party-cookies/draft-west-first-party-cookies-00.html > > Not many people are interested thus far is my understanding. Copied > Mike if he has anything to add. Some folks on the HTTP WG list (Martin in particular) had some interesting feedback, but my general impression was that I was the only one excited about it. I don't intend to let either spec die, as I think they're potentially important, but I haven't prioritized building a prototype to play with. Coincidentally, I talked to a colleague just this morning who might have some spare cycles coming up, so who knows. Maybe he'll build a prototype for us. :) -mike -- Mike West <[email protected]>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
