W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 30 Nov 2009 16:20:23 -0800
Message-ID: <7789133a0911301620t22a3adedx591fcc50b2e6f2ad@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Nov 30, 2009 at 11:25 AM, Tyler Close <tyler.close@gmail.com> wrote:
> On Wed, Nov 25, 2009 at 5:55 PM, Adam Barth <w3c@adambarth.com> wrote:
>> Yes.  At the application layer.
>
> Perhaps we're just talking past each other here. I'll try again...
>
> When creating a new application layer API, the designers must take
> into account the SOP protection expected by resources. Currently,
> these expectations aren't documented anywhere. In the status-quo, the
> application layer API is expected to magically know all the SOP
> restrictions and then document how it enforces them. I'm just
> suggesting that it would be a good thing to remove some of the magic
> here by writing down the SOP restrictions, leaving the application API
> with only the task of documenting its enforcement mechanism.

I agree with everything you're saying, but you haven't explained why
this documentation should be at the protocol layer instead of the
application layer.

>> I'm not even sure you can articulate the policy coherently without
>> referring to application-layer concepts.  How would you explain the
>> restrictions on images in the HTML Canvas element in terms of HTTP
>> protocol messages?
>
> The response to a GET request must not be made accessible to content
> from another origin, unless the target resource has explicitly
> indicated otherwise. The HTML <script> tag is a notable violation of
> this restriction for content matching a particular syntax. Otherwise,
> this rule seems widely enforced.

Maciej already responded to this point, but this is a drastic over
simplification.

Adam
Received on Tuesday, 1 December 2009 00:21:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT