W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: HTTPbis and the Same Origin Policy

From: Albert Lunde <atlunde@panix.com>
Date: Thu, 3 Dec 2009 10:01:06 -0500
To: public-web-security@w3.org
Message-ID: <20091203150106.GA3179@panix.com>
> After analyzing this particular situation, I am not sure it makes sense 
> to apply the same-origin policy as-is to low-level HTTP clients as 
> opposed to browser-like clients. There may be some variant of the  
> same-origin policy that some subset of low-level network clients should 
> consider.

For every API that chooses to enforce a same-origin policy there
will be a lower-level set of transport functions able to
ignore it. It's futile to try to claim that everything should
enforce a same-origin policy. 

Instead try to document what APIs that enforce a same-origin 
policy should do, and lay out the contexts where this is desirable.

(There are a few too many Turning-complete scripting engines
running in the typical web browser, and placing some
deliberate restrictions on them at _some_ level _is_
a good idea...)

-- 
    Albert Lunde  albert-lunde@northwestern.edu
                  atlunde@panix.com  (new address for personal mail)
Received on Thursday, 3 December 2009 15:01:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT