W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 30 Nov 2009 11:25:05 -0800
Message-ID: <5691356f0911301125o26ef95f6ia195ae643bf8e948@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 25, 2009 at 5:55 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Wed, Nov 25, 2009 at 2:34 PM, Tyler Close <tyler.close@gmail.com> wrote:
>> On Wed, Nov 25, 2009 at 1:54 PM, Adam Barth <w3c@adambarth.com> wrote:
>>> Indeed.  Security in the application layer is quite complex.  That's
>>> what makes life interesting.  :)
>>
>> So are you agreeing that there do exist SOP rules that the application
>> layer must obey? If so, should we document those rules?
>
> Yes.  At the application layer.

Perhaps we're just talking past each other here. I'll try again...

When creating a new application layer API, the designers must take
into account the SOP protection expected by resources. Currently,
these expectations aren't documented anywhere. In the status-quo, the
application layer API is expected to magically know all the SOP
restrictions and then document how it enforces them. I'm just
suggesting that it would be a good thing to remove some of the magic
here by writing down the SOP restrictions, leaving the application API
with only the task of documenting its enforcement mechanism.

> I'm not even sure you can articulate the policy coherently without
> referring to application-layer concepts.  How would you explain the
> restrictions on images in the HTML Canvas element in terms of HTTP
> protocol messages?

The response to a GET request must not be made accessible to content
from another origin, unless the target resource has explicitly
indicated otherwise. The HTML <script> tag is a notable violation of
this restriction for content matching a particular syntax. Otherwise,
this rule seems widely enforced.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Monday, 30 November 2009 19:25:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT