W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Bil Corry <bil@corry.biz>
Date: Sun, 12 Jul 2009 21:08:34 -0500
Message-ID: <4A5A9722.8080707@corry.biz>
To: Adam Barth <w3c@adambarth.com>
CC: Mark Nottingham <mnot@mnot.net>, Henrik Nordstrom <henrik@henriknordstrom.net>, "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
Adam Barth wrote on 6/25/2009 12:55 AM: 
> On Wed, Jun 24, 2009 at 10:46 PM, Mark Nottingham<mnot@mnot.net> wrote:
>> Do you have a spec for sec-from?
> 
> http://tools.ietf.org/html/draft-abarth-origin-01
> 
> This draft addresses the technical feedback I have receive on the -00
> version of the draft.  As I said in the previous email, I'm going to
> try to reply to all the outstanding emails in the next couple of days.

How do you envision the Sec-From header representing frames?  I ask because the Mozilla Origin proposal[1] discusses frames quite a bit, and assuming frames are handled by Sec-From in the way outlined by Mozilla's proposal, they'll end up looking like redirect chains.

For example, based on your current draft (and correct me if I'm wrong) if A POSTs to B, which then redirects to C, the Sec-From header at C will look like:

	Sec-From: B A

Mozilla's frames proposal -- if A frames B which redirects to C, the header at C will look like:

	Sec-From: B A

There may be some value for C to be able to distinguish that a received request is coming from a frame.


- Bil


[1] https://wiki.mozilla.org/Security/Origin
Received on Monday, 13 July 2009 02:09:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:07 GMT