If you work on security & are interested in suborigins (https://w3c.github.io/webappsec-suborigins/ …), speak up! Browser vendors want to gauge community interest
Suborigins are easy to understand for users, even if not straightforward to implement/spec. Use cases can show why this effort is worth it.
-
-
Also worth noting is that suborigins are one of the few features that
@sirdarckcat and I both like a lot, which has got to mean something! - 1 more reply
New conversation -
-
-
@patricktoomey we were thinking of using this for raw pages too, right? Where everything is it's own origin? -
Yeah,seems a nice last line of defense.
@arturjanc-doesn’t google do something like this for user content by generating a random subdomain? -
Yes, we have *.googleusercontent.com for that. But the infrastructure for it is quite tricky (hard for small sites), and the URLs are ugly.
-
Yeah…that was what I was getting at
. -
I’ve considered implementing the same subdomain setup for GitHub, but feel like suborigins would be the cleaner implementation long term.
-
Definitely. We also considered CSP: sandbox delivered as an HTTP header for this case, but that introduces a whole slew of other problems.
-
don't get me started; we shipped this (see http://www.dropbox.com/enterprise ) but its super hacky.
End of conversation
New conversation -
-
-
This combination is difficult to deal with: folks think they _know_ what suborigins should be, we just all know different things. :)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Not clear to me who this is intended for. Who wants to use this and manage its complexity that can't just move to a real separate origin?
-
Tonight I will have nightmares of SO questions asking why bootstrap in /static doesn't load right for /admin because it uses webfonts.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
