Re: HTTPbis and the Same Origin Policy from Thomas Roessler on 2009-11-25 (ietf-http-wg@w3.org from October to December 2009)

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 25 Nov 2009 22:28:58 +0100
To: Tyler Close <tyler.close@gmail.com>
Cc: Thomas Roessler <tlr@w3.org>, Adam Barth <w3c@adambarth.com>, Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <3E6431DF-1BD3-47B7-A150-7145DC7BEAF5@w3.org>

On 25 Nov 2009, at 22:18, Tyler Close wrote:

> That I-D defines an identifier for an origin, but not the Same Origin
> Policy.

It also defines what the "equality" operator in the same-origin policy means.

> For example, what document says: a HTTP PUT request cannot be
> sent cross-origin.

XMLHttpRequest, for the purposes of HTTP PUT requests caused through that API.

No spec, for form submissions, since the policy doesn't hold for these.

Received on Wednesday, 25 November 2009 21:29:10 UTC