This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 16248 - Make http+aes: content forced unique-origin
Summary: Make http+aes: content forced unique-origin
Status: RESOLVED WONTFIX
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL: http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-07 08:49 UTC by contributor
Modified: 2012-10-05 22:41 UTC (History)
3 users (show)

See Also:

Attachments

Description contributor 2012-03-07 08:49:00 UTC 
Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/iana.html
Multipage: http://www.whatwg.org/C#http+aes-scheme
Complete: http://www.whatwg.org/c#http+aes-scheme

Comment:
"all content using the http+aes scheme on the same host (and same port) shares
the same origin and can therefore leak the keys" - unless there's a use case
for supporting this, it seems more robust to make http(s)+aes never be
same-origin

Posted from: 88.131.66.80 by simonp@opera.com
User agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.7.2; U; en) Presto/2.10.229 Version/11.61
Comment 1 contributor 2012-07-18 17:13:36 UTC 
This bug was cloned to create bug 18085 as part of operation convergence.
Comment 2 Ian 'Hixie' Hickson 2012-10-05 22:41:44 UTC 
I've dropped the entire feature instead.