W3C home > Mailing lists > Public > public-ietf-w3c@w3.org > March 2009

Re: W3C/IETF HTML 5 get-together ~25 March

From: Sam Ruby <rubys@intertwingly.net>
Date: Fri, 27 Mar 2009 12:00:24 -0400
Message-ID: <49CCF818.9010905@intertwingly.net>
To: Thomas Roessler <tlr@w3.org>
CC: Dan Connolly <connolly@w3.org>, public-ietf-w3c <public-ietf-w3c@w3.org>, Mark Nottingham <mnot@mnot.net>
Thomas Roessler wrote:
> On 27 Mar 2009, at 14:42, Thomas Roessler wrote:
> 
>> Thanks Sam and Dan!
>>
>> From the notes, I can't quite tell whether Origin and CORS got 
>> discussed together or separately.  That doesn't really match reality, 
>> as there's (at least in the view of some)
> 
> "Discussing them separately ignores an important motivation for Origin" 
> is what I mean -- sorry for the unclear words.

They were discussed separately.  As you point out, that may have been 
unfortunate.  I was unaware of the connection between the two.

>> value to using the same header for CORS and more general cross site 
>> request forgery prevention.  That aspect is, in my view, an important 
>> element in the cost/benefit analysis for Origin.
>>
>> Concerning "JavaScript sandboxing", I wonder what precisely people at 
>> the meeting had in mind.  Is this another instance of the topic area 
>> of last December's workshop
>>
>>  http://www.w3.org/2008/security-ws/
>>
>> ... or is something different meant?

That was mentioned in passing, simply as an area where additional 
security review may be warranted.  It wasn't elaborated further.

>> Regards,
>> -- 
>> Thomas Roessler, W3C  <tlr@w3.org>

- Sam Ruby
Received on Friday, 27 March 2009 16:01:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 March 2009 16:01:06 GMT