W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 25 Nov 2009 14:34:03 -0800
Message-ID: <5691356f0911251434m5db36e55kc3748c01f9b67b2f@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 25, 2009 at 1:54 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Wed, Nov 25, 2009 at 1:34 PM, Tyler Close <tyler.close@gmail.com> wrote:
>> My impression is that the undefined consensus understanding of the
>> Same Origin Policy incorporates the rule that no API (not just a
>> specific API, such as HTML form) can allow a cross-origin PUT, unless
>> the target resource has somehow opted out of SOP protection.
>
> I think you're confusing two things:
>
> 1) What is an origin?
> 2) What restrictions ought we to place on cross-origin interactions?

No, I think I understand the difference between a thing and what you
can do with that thing. I think my point comes down to a rephrasing of
2):

2) What restrictions have been placed on cross-origin interactions and
must forever be obeyed by all APIs?

>> This
>> rule, and others like it, are the source of much of the complexity in
>> CORS. These rules are not left to the application layer.
>
> Indeed.  Security in the application layer is quite complex.  That's
> what makes life interesting.  :)

So are you agreeing that there do exist SOP rules that the application
layer must obey? If so, should we document those rules?

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Wednesday, 25 November 2009 22:34:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT