W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

The HTTP Sec-From Header (draft-abarth-origin)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 28 Jun 2009 16:12:07 -0700
Message-ID: <7789133a0906281612o6372ba1chc424d48eb0880ed3@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Henrik Nordstrom <henrik@henriknordstrom.net>, "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
On Wed, Jun 24, 2009 at 10:55 PM, Adam Barth<w3c@adambarth.com> wrote:
> On Wed, Jun 24, 2009 at 10:46 PM, Mark Nottingham<mnot@mnot.net> wrote:
>> Do you have a spec for sec-from?
>
> http://tools.ietf.org/html/draft-abarth-origin-01
>
> This draft addresses the technical feedback I have receive on the -00
> version of the draft.  As I said in the previous email, I'm going to
> try to reply to all the outstanding emails in the next couple of days.

Turns out my folder of outstanding issues was mostly individual
emails.  I had an outstanding request for data from this WG on the
number of internal-to-external POST requests.  Out of a sample of one
million HTTP requests from an enterprise firewall:

1) 6% of the GET+POST requests were POST.
2) 10% of POSTs are cross-host.
3) There was exactly one POST from an internal host to an external host.

Caveats: I can't see HTTPS traffic with this methodology.  Different
enterprises might be different.  The enterprise in question does trip
the Referer header (although I collected the data prior to stripping).

Adam
Received on Sunday, 28 June 2009 23:13:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:04 GMT