Re: HTTPbis and the Same Origin Policy

On Wed, Nov 25, 2009 at 5:55 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Wed, Nov 25, 2009 at 2:34 PM, Tyler Close <tyler.close@gmail.com> wrote:
>> On Wed, Nov 25, 2009 at 1:54 PM, Adam Barth <w3c@adambarth.com> wrote:
>>> Indeed.  Security in the application layer is quite complex.  That's
>>> what makes life interesting.  :)
>>
>> So are you agreeing that there do exist SOP rules that the application
>> layer must obey? If so, should we document those rules?
>
> Yes.  At the application layer.

Perhaps we're just talking past each other here. I'll try again...

When creating a new application layer API, the designers must take
into account the SOP protection expected by resources. Currently,
these expectations aren't documented anywhere. In the status-quo, the
application layer API is expected to magically know all the SOP
restrictions and then document how it enforces them. I'm just
suggesting that it would be a good thing to remove some of the magic
here by writing down the SOP restrictions, leaving the application API
with only the task of documenting its enforcement mechanism.

> I'm not even sure you can articulate the policy coherently without
> referring to application-layer concepts.  How would you explain the
> restrictions on images in the HTML Canvas element in terms of HTTP
> protocol messages?

The response to a GET request must not be made accessible to content
from another origin, unless the target resource has explicitly
indicated otherwise. The HTML <script> tag is a notable violation of
this restriction for content matching a particular syntax. Otherwise,
this rule seems widely enforced.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Monday, 30 November 2009 19:25:45 UTC