On Wed, Aug 24, 2011 at 1:54 AM, Gervase Markham <[email protected]> wrote: > I've only just read this document; I didn't realise it contained a > dis-recommendation for the use of the Public Suffix List. > > I couldn't see in the document any other way of allowing two > non-identical but related origins to collaborate. Do you have a > recommendation for this use case (a number of sites across the same > company, and so on)? It's rather an important one on the web today.
Cross-Origin Resource Sharing is an excellent way of collaborating between multiple origins: http://www.w3.org/TR/cors/ In any case, nothing in this document changes how cookies work. The IETF recently published RFC6265, which explicitly mentions the use of the public suffix list. Similarly, HTML continues to require support for document.domain, which also uses the public suffix list. The purpose of this text in this document is to caution against creating more such reliance on the public suffix list. Instead, the verified origin approach (e.g., as used in CORS and CSP) is a much more robust way of addressing many of the same use cases. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
