Re: HTTPbis and the Same Origin Policy

On Wed, Nov 25, 2009 at 7:50 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> Tyler Close wrote:
>>
>> AFAICT, HTTPbis says nothing about the Same Origin Policy (SOP), yet
>> this policy is a major constraint on the behavior of many HTTP user
>> agents, restricting what HTTP requests can be sent and what HTTP
>> responses can be delivered. SOP is not defined by any standard. Should
>> HTTPbis step up?
>> ...
>
> Well, HTTPbis (as WG and set of specs) is really constrained in what we're
> doing, see <http://www.ietf.org/dyn/wg/charter/httpbis-charter>. And that's
> a good thing, because an open-ended charter would make it likely that we
> never finish.

Quoting from the charter:
"""
The working group will refine RFC2616 to:
...
* Document the security properties of HTTP and its associated
echanisms (e.g., Basic and Digest authentication, cookies, TLS) for
common applications
"""

Given that charter, it's hard to see how the WG can escape documenting
the Same Origin Policy. It is a necessary part of how common
applications use HTTP Auth, cookies and even unadorned HTTP requests
and responses.

> That being said, defining this in a spec probably *is* a good idea. Did you
> just volunteer? Note that to produce a spec you actual IETF WG is required.

;) No, I wasn't trying to throw myself on that grenade. ;) Not yet at
least. Documenting SOP is a *big* task. I understand why it makes you
worry about slipping deadlines. So, should the charter be revised to
exclude the primary security policy that governs use of HTTP? ;)

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Wednesday, 25 November 2009 17:28:26 UTC