W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Mark S. Miller <erights@google.com>
Date: Mon, 30 Nov 2009 11:51:03 -0800
Message-ID: <4d2fac900911301151h6a1d2b02uaf16b090f58844ae@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Nov 30, 2009 at 11:25 AM, Tyler Close <tyler.close@gmail.com> wrote:
> The response to a GET request must not be made accessible to content
> from another origin, unless the target resource has explicitly
> indicated otherwise. The HTML <script> tag is a notable violation of
> this restriction for content matching a particular syntax. Otherwise,
> this rule seems widely enforced.

Other exceptions I'm aware of:

* size of images fetched using img tags.
* port scanning by differential error behavior

What other exceptions remain?

Received on Monday, 30 November 2009 19:51:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC