(I mailed the list but for some strange reason the email never got published. If this is the wrong place for general question, please remove this issue)
Hello,
the draft states the following as an example:
To address this, the developers decide to serve both applications on
two separate suborigins. For all HTTP requests to any subpath of /chat
or /shopping, example.com includes a header suborigin: chat or
suborigin: shopping, respectively.
I have a hard time understanding this example.
Example: I have /foo that serve different content and is public. /foo
don't require any cookies because it's public. However, my / does
require cookies as authentication. If an attacker finds XSS on /foo,
will the attacker have the possibility to read cookies that are used as
authentication on / if the header "suborigin: foo" is sent only on the
/foo subpath?
(I mailed the list but for some strange reason the email never got published. If this is the wrong place for general question, please remove this issue)
Hello,
the draft states the following as an example:
I have a hard time understanding this example.
Example: I have /foo that serve different content and is public. /foo don't require any cookies because it's public. However, my / does require cookies as authentication. If an attacker finds XSS on /foo, will the attacker have the possibility to read cookies that are used as authentication on / if the header "suborigin: foo" is sent only on the /foo subpath?
Regards, Chloe