W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 25 Nov 2009 13:18:37 -0800
Message-ID: <5691356f0911251318u4825c35fm38ba36c924eb0cb5@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 25, 2009 at 12:30 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Wed, Nov 25, 2009 at 12:26 PM, Adam Barth <w3c@adambarth.com> wrote:
>> On Wed, Nov 25, 2009 at 9:27 AM, Tyler Close <tyler.close@gmail.com> wrote:
>>> On Wed, Nov 25, 2009 at 7:50 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
>>>> That being said, defining this in a spec probably *is* a good idea. Did you
>>>> just volunteer? Note that to produce a spec you actual IETF WG is required.
>>>
>>> ;) No, I wasn't trying to throw myself on that grenade. ;) Not yet at
>>> least. Documenting SOP is a *big* task. I understand why it makes you
>>> worry about slipping deadlines. So, should the charter be revised to
>>> exclude the primary security policy that governs use of HTTP? ;)
>>
>> The same-origin policy is defined here:
>>
>> http://tools.ietf.org/html/draft-abarth-origin
>
> Actually, that draft is out of date.  I've just uploaded a new draft,
> which I've also attached to this message.

That I-D defines an identifier for an origin, but not the Same Origin
Policy. For example, what document says: a HTTP PUT request cannot be
sent cross-origin.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Wednesday, 25 November 2009 21:19:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT