W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 25 Nov 2009 09:27:46 -0800
Message-ID: <5691356f0911250927s85d414er160ea4f33fca8e46@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 25, 2009 at 7:50 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> Tyler Close wrote:
>> AFAICT, HTTPbis says nothing about the Same Origin Policy (SOP), yet
>> this policy is a major constraint on the behavior of many HTTP user
>> agents, restricting what HTTP requests can be sent and what HTTP
>> responses can be delivered. SOP is not defined by any standard. Should
>> HTTPbis step up?
>> ...
> Well, HTTPbis (as WG and set of specs) is really constrained in what we're
> doing, see <http://www.ietf.org/dyn/wg/charter/httpbis-charter>. And that's
> a good thing, because an open-ended charter would make it likely that we
> never finish.

Quoting from the charter:
The working group will refine RFC2616 to:
* Document the security properties of HTTP and its associated
echanisms (e.g., Basic and Digest authentication, cookies, TLS) for
common applications

Given that charter, it's hard to see how the WG can escape documenting
the Same Origin Policy. It is a necessary part of how common
applications use HTTP Auth, cookies and even unadorned HTTP requests
and responses.

> That being said, defining this in a spec probably *is* a good idea. Did you
> just volunteer? Note that to produce a spec you actual IETF WG is required.

;) No, I wasn't trying to throw myself on that grenade. ;) Not yet at
least. Documenting SOP is a *big* task. I understand why it makes you
worry about slipping deadlines. So, should the charter be revised to
exclude the primary security policy that governs use of HTTP? ;)


"Waterken News: Capability security on the Web"
Received on Wednesday, 25 November 2009 17:28:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC