W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 25 Nov 2009 13:34:58 -0800
Message-ID: <5691356f0911251334s4f539d8cs869e568e80de9a2d@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 25, 2009 at 1:25 PM, Adam Barth <w3c@adambarth.com> wrote:
> Whether one can send an HTTP PUT request to another origin depends on
> which API is being used.  For the HTML Form element, the HTML
> specification contains this requirement.  For the XMLHttpRequest API,
> the XMLHttpRequest specification contains the requirement.
>
> The essence of the same-origin policy is the "sameness" relation
> (i.e., how to compute it on URLs), which is what's contained in that
> draft.  The details of what actions are restricted to the "same"
> origin are details best left to the application layer.

My impression is that the undefined consensus understanding of the
Same Origin Policy incorporates the rule that no API (not just a
specific API, such as HTML form) can allow a cross-origin PUT, unless
the target resource has somehow opted out of SOP protection. This
rule, and others like it, are the source of much of the complexity in
CORS. These rules are not left to the application layer.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Wednesday, 25 November 2009 21:35:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT