W3C home > Mailing lists > Public > public-html@w3.org > January 2009

Re: ACTION-96: Origin removal

From: Sam Ruby <rubys@us.ibm.com>
Date: Mon, 19 Jan 2009 09:39:38 -0500
To: Henri Sivonen <hsivonen@iki.fi>
Cc: HTML WG <public-html@w3.org>
Message-ID: <OF9C7BFBFB.7E2C154C-ON85257543.004FB3FB-85257543.005088BC@us.ibm.com>

Henri Sivonen wrote on 01/18/2009 06:33:27 PM:
>
> On the last telecon, I got ACTION-96 to ensure that the editor removes
> the Origin header from the spec. I have since reviewed the feasibility
> of removing the header from the spec and discussed the issue with Hixie.
>
> I think it would be unproductive for all parties involved to remove
> things from the spec without another spec to put them into if we want
> to keep the feature in general.
>
> I see two ways to proceed:
>
> 1) Writing an Internet Draft that blesses the use of the Origin header
> for CSRF mitigation purposes in addition to its use as part of CORS
> leaving it to other specifications to say when the header is to be
> sent. In this case, the normative text referring to the header could
> *not* be removed from the HTML5 specification, since HTML5 would need
> to state when the header is sent in the context of HTML5 features.
>
> 2) Writing an Internet Draft that blesses the use of the Origin header
> for CSRF mitigation purposes in addition to its use as part of CORS
> and defines that browser-like user agents must send it on *all* non-
> GET/HEAD HTTP requests unless another spec specifically says not to
> send it in a particular case. In this case, HTML5 it wouldn't need to
> refer to the Internet Draft but the ID would need to have a normative
> reference to "source browsing context".
>
> In both cases, the ID would need to have a normative reference to the
> concept of "origin" as well as to "ASCII serialization of an origin".
>
> Adam Barth is expected to write the ID. Until the ID is written, it
> doesn't make sense for me to pursue the Action further at this time.
> Hence, the Action won't be complete on deadline unless the Chairs
> accept this report as concluding the ACTION-96.

The issue we are trying to resolve is ISSUE-63[1]: "Origin header: in
scope? required for this release?"

It sounds like either way the intent is to delegate this to the IETF.  Both
alternatives provide the same answers for the questions posed by the issue.

Given that there is precedent for "commenting out" areas of the spec which
do not enjoy consensus, and that I have recently been informed that
sections can be removed from the HTMLWG draft and be retained in the WHATWG
draft, would a decision to remove the description of the Origin header from
the HTMLWG draft without prejudice (i.e. the door is left open for this to
be reopened in the future) be something everybody could live with?

> --
> Henri Sivonen
> hsivonen@iki.fi
> http://hsivonen.iki.fi/

[1] http://www.w3.org/html/wg/tracker/issues/63
Received on Monday, 19 January 2009 14:40:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:28 GMT