W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

Re: #322: Origin

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 14 Dec 2011 10:55:29 -0800
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <FA0C9982-9745-45E2-8E33-CF9D9E80B3F0@gbiv.com>
To: Mark Nottingham <mnot@mnot.net>
No, the notion in Origin is an exception to DNS authorities for broadening
security constraints on javascript, etc.  HTTP caching must not allow a
non-matching-authority (including a different port) define what can be
invalidated or replaced.

....Roy

On Dec 13, 2011, at 7:27 PM, Mark Nottingham wrote:

> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/322>
> 
> Since we now have a definition of an Origin, it'd be good to use it where appropriate.
> 
> Proposal for p7 2.2:
> 
> """A protection space is defined by the origin [ref to origin rfc], combined with the realm value (if present)."""
> 
> Proposal for p6 2.5:
> 
> """However, a cache MUST NOT invalidate a URI from a Location or Content-Location header field if that URI does not have the same origin as that of the effective request URI (section 4.3 of [Part1]), as specified in [ref to origin rfc]."""
> 
> Comments?
> 
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
> 
> 
Received on Wednesday, 14 December 2011 18:58:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:51 GMT