On 25 March 2016 at 20:31, Tom Ritter <[email protected]> wrote: > The "list of equivalent origins" when I read the spec did _not_ allow > other web origins. This was a hard "No". It only worked with mobile > apps. Has this been relaxed? If so, it's a major privacy problem.
I don't think it has been relaxed. The other web origins are required to share the same 'public parts' (like .com) plus at least one 'private part' (like example), such that www.example.com and accounts.example.com can share, but not baddie.example2.com. Cheers, Joe _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
