On Mon, Sep 22, 2014 at 10:52 PM, Chris Palmer <[email protected]> wrote: > Quite so. My point in this thread was: If we are going to change the > definition of what an origin is, the most security-meaningful change > would be to tie cryptographic identities to origins, rather than > anything else; and, OMG that is incredibly hard to do. So, maybe we > should just leave origins alone.
What if we offered some new type of certificate. And if you downgraded from that certificate to a normal certificate, you would have some guarantees about cookie and localStorage data. And perhaps it automatically gives you HSTS. Or is that too problematic to roll out? -- https://annevankesteren.nl/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
