W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: HTTPbis and the Same Origin Policy

From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 3 Dec 2009 08:36:54 +0100 (CET)
To: Tyler Close <tyler.close@gmail.com>
cc: Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
Message-ID: <alpine.DEB.2.00.0912030832230.18986@tvnag.unkk.fr>
On Wed, 2 Dec 2009, Tyler Close wrote:

(ietf-http-wg removed from the CC list)

> """
> The SOP rule is something like: Don't follow a cross-domain redirect
> of a PUT request, unless the redirect target has opted out of SOP
> protection.
>
> So, upon seeing the 307 redirect, libcurl would report an error if the
> origin of the Request-URI does not match the origin of the URL in the
> Location header; otherwise, the redirect is followed. Until there's a
> standard way for a resource to opt out of SOP, that's the best that
> can be done.
> """

Won't this get the user into the publicsuffix problem basically? I mean, if my 
company has two vhosts under a single domain, shouldn't they be perferctly 
possible to redirect back and forth between each other?

    foo.example.com redirecting a POST to bar.example.com

That's quite different than foo.com redirecting to bar.com. But just as with 
cookies, we can't really tell the difference just by looking at the names - as 
the names don't reveal the topology.

-- 

  / daniel.haxx.se
Received on Thursday, 3 December 2009 07:37:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:00 GMT