On Wed, Feb 11, 2015 at 1:52 AM, Anne van Kesteren <ann...@annevk.nl> wrote: > On Wed, Feb 11, 2015 at 10:42 AM, Jonas Sicking <jo...@sicking.cc> wrote: >> Has the group looked at expanding the feature set of cookies to allow >> better CSRF protection? > > Mike has: > > > https://mikewest.github.io/internetdrafts/origin-cookies/draft-west-origin-cookies-00.html > > https://mikewest.github.io/internetdrafts/first-party-cookies/draft-west-first-party-cookies-00.html > > Not many people are interested thus far is my understanding. Copied > Mike if he has anything to add.
I haven't ready the above proposals, so won't comment on those specifically. But I'm certainly interested in seeing mozilla implement something in this space. Fixing cross-site cookies would remove one of the big security advantages that other platforms have over the web. >> Another thing that would be very useful is page-specific or >> tab-specific cookies. So that websites like gmail could keep you >> logged in using different accounts in different tabs. Right now that >> essentially require the website to add a user identifier to the URL of >> all requests that are coming from a page, which is quite a demanding >> task. > > I thought sessionStorage addressed this. (Although of course it's a > poor API since it's synchronous.) That still requires that you manually adjust the URL all network requests that you do through any API. I.e. all img.src, all <link rel=stylesheet href=...>, all XHR requests, all WebSocket constructors need to manually append an account identifier to the URL. SessionStorage doesn't help there at all. Not any more than JS variables do. / Jonas _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
