W3C home > Mailing lists > Public > public-ietf-w3c@w3.org > March 2009

Re: W3C/IETF HTML 5 get-together ~25 March

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 27 Mar 2009 17:08:37 +0100
To: Sam Ruby <rubys@intertwingly.net>
Message-Id: <A6B517DC-4702-4EA3-ACB5-CDAAE141B735@w3.org>
Cc: Dan Connolly <connolly@w3.org>, public-ietf-w3c <public-ietf-w3c@w3.org>, Mark Nottingham <mnot@mnot.net>
On 27 Mar 2009, at 17:00, Sam Ruby wrote:

> Thomas Roessler wrote:
>> On 27 Mar 2009, at 14:42, Thomas Roessler wrote:
>>> Thanks Sam and Dan!
>>>
>>> From the notes, I can't quite tell whether Origin and CORS got  
>>> discussed together or separately.  That doesn't really match  
>>> reality, as there's (at least in the view of some)
>> "Discussing them separately ignores an important motivation for  
>> Origin" is what I mean -- sorry for the unclear words.
>
> They were discussed separately.  As you point out, that may have  
> been unfortunate.  I was unaware of the connection between the two.

That's what I feared.  Mark, any ideas on how to manage next steps in  
that discussion?  (I'd hope we can avoid the "cross site request  
forgery is not a security hole" rathole this time...)

>>> value to using the same header for CORS and more general cross  
>>> site request forgery prevention.  That aspect is, in my view, an  
>>> important element in the cost/benefit analysis for Origin.
>>>
>>> Concerning "JavaScript sandboxing", I wonder what precisely people  
>>> at the meeting had in mind.  Is this another instance of the topic  
>>> area of last December's workshop
>>>
>>> http://www.w3.org/2008/security-ws/
>>>
>>> ... or is something different meant?
>
> That was mentioned in passing, simply as an area where additional  
> security review may be warranted.  It wasn't elaborated further.

Thanks for clarifying.
Received on Friday, 27 March 2009 16:08:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 March 2009 16:08:49 GMT