W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 25 Nov 2009 17:55:41 -0800
Message-ID: <7789133a0911251755p4f08c4c9w59cd2c2297d3d786@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 25, 2009 at 2:34 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Wed, Nov 25, 2009 at 1:54 PM, Adam Barth <w3c@adambarth.com> wrote:
>> Indeed.  Security in the application layer is quite complex.  That's
>> what makes life interesting.  :)
>
> So are you agreeing that there do exist SOP rules that the application
> layer must obey? If so, should we document those rules?

Yes.  At the application layer.

I'm not even sure you can articulate the policy coherently without
referring to application-layer concepts.  How would you explain the
restrictions on images in the HTML Canvas element in terms of HTTP
protocol messages?

Adam
Received on Thursday, 26 November 2009 01:56:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT