Re: HTTPbis and the Same Origin Policy

On Wed, Nov 25, 2009 at 1:25 PM, Adam Barth <w3c@adambarth.com> wrote:
> Whether one can send an HTTP PUT request to another origin depends on
> which API is being used.  For the HTML Form element, the HTML
> specification contains this requirement.  For the XMLHttpRequest API,
> the XMLHttpRequest specification contains the requirement.
>
> The essence of the same-origin policy is the "sameness" relation
> (i.e., how to compute it on URLs), which is what's contained in that
> draft.  The details of what actions are restricted to the "same"
> origin are details best left to the application layer.

My impression is that the undefined consensus understanding of the
Same Origin Policy incorporates the rule that no API (not just a
specific API, such as HTML form) can allow a cross-origin PUT, unless
the target resource has somehow opted out of SOP protection. This
rule, and others like it, are the source of much of the complexity in
CORS. These rules are not left to the application layer.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Wednesday, 25 November 2009 21:35:34 UTC