W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 25 Nov 2009 18:46:15 +0100
Cc: Thomas Roessler <tlr@w3.org>, Doug Schepers <schepers@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@opera.com>, Ian Hickson <ian@hixie.ch>, "Michael(tm) Smith" <mike@w3.org>
Message-Id: <FB4986B0-957C-47AC-95B1-4737ADD5A6C4@w3.org>
To: Tyler Close <tyler.close@gmail.com>
Much of this material is in fact part of the HTML5 and XMLHttpRequest specifications.


The XMLHttpRequest specification is in Last Call as of 19 November (with 16 December deadline), and it includes a specification of the same origin policy for XMLhttpRequest -- see step 13 of the open() method [1].

http://www.w3.org/TR/XMLHttpRequest/#the-open-method

I'll note that that specification lacks any security considerations at this point, and that calling out the same origin policy more prominently (and talking about DNS rebinding) sound like they would be fine and timely additions to that spec.

Additionally, I suspect that in-depth review from the HTTP Working Group would be an extremely valuable for this spec.



HTML5 defines a number of relevant policies:

  http://dev.w3.org/html5/spec/Overview.html#security
  http://dev.w3.org/html5/spec/Overview.html#security-1
  http://dev.w3.org/html5/spec/Overview.html#security-2
  http://dev.w3.org/html5/spec/Overview.html#relaxing-the-same-origin-restriction
  http://dev.w3.org/html5/spec/Overview.html#security-and-privacy-considerations
  http://dev.w3.org/html5/spec/Overview.html#security-with-canvas-elements
  
There are a few more places.  Unfortunately, the easiest way to identify all cases in which HTML5 explicitly specifies a security policy seems to be searching for the "SECURITY_ERR" exception.


Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>







On 25 Nov 2009, at 16:39, Tyler Close wrote:

> AFAICT, HTTPbis says nothing about the Same Origin Policy (SOP), yet
> this policy is a major constraint on the behavior of many HTTP user
> agents, restricting what HTTP requests can be sent and what HTTP
> responses can be delivered. SOP is not defined by any standard. Should
> HTTPbis step up?
> 
> --Tyler
> 
> -- 
> "Waterken News: Capability security on the Web"
> http://waterken.sourceforge.net/recent.html
> 
> 
Received on Wednesday, 25 November 2009 17:46:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT