Understanding the syntax

[intchloe]

(I mailed the list but for some strange reason the email never got published. If this is the wrong place for general question, please remove this issue)

Hello,

the draft states the following as an example:

To address this, the developers decide to serve both applications on two separate suborigins. For all HTTP requests to any subpath of /chat or /shopping, example.com includes a header suborigin: chat or suborigin: shopping, respectively.

I have a hard time understanding this example.

Example: I have /foo that serve different content and is public. /foo don't require any cookies because it's public. However, my / does require cookies as authentication. If an attacker finds XSS on /foo, will the attacker have the possibility to read cookies that are used as authentication on / if the header "suborigin: foo" is sent only on the /foo subpath?

Regards, Chloe

[devd]

no, if you don't use the unsafe-cookies option.

[intchloe]

Continuing on the list https://lists.w3.org/Archives/Public/public-webappsec/2016Jun/0049.html - and close!