W3C home > Mailing lists > Public > public-web-security@w3.org > July 2011

Re: Publishing From-Origin Proposal as FPWD

From: Arthur Barstow <art.barstow@nokia.com>
Date: Fri, 01 Jul 2011 10:34:01 -0400
Message-ID: <4E0DDAD9.9070400@nokia.com>
To: ext Daniel Veditz <dveditz@mozilla.com>, Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>
CC: WebApps WG <public-webapps@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>
On 6/30/11 10:31 PM, ext Daniel Veditz wrote:
> On 6/30/11 9:31 AM, Maciej Stachowiak wrote:
>> On Jun 30, 2011, at 7:22 AM, Anne van Kesteren wrote:
>>> (Added public-web-security because of the potential for doing
>>> this in CSP instead. Though that would require a slight change
>>> of scope for CSP, which I'm not sure is actually desirable.)
>> I approve of publishing this as FWPD.
>>
>> I also don't think it makes sense to tie this to CSP.
> Conceptually it's similar to the CSP frame-ancestors
> directive--which we've decided doesn't fit in CSP either. Most of
> CSP is "can load" while frame-ancestors was "can be loaded by".
> We've proposed that the frame-ancestors functionality be moved into
> an expanded/standardized X-Frame-Options mechanism, but a
> standardized "From-Origin" would work just as well (better?).
>
> It may still make sense to put From-Origin in the WebSecurity
> (not-quite) WG along with CORS rather than free floating in WebApps.
> But I don't have strong feelings about that.

I don't feel strongly about the charter issue either. (As I understand 
it, CORS will be a joint deliverable between WebApps WG and WebAppSec WG 
and as such, my expectation is that both WGs will participate in 
decisions such as "does the spec meet Last Call Working Draft 
requirements?".)

> Mozilla would be
> interested in implementing this feature regardless.

This is good to read. Based on the feeback so far, I will start a CfC to 
publish a First Public Working Draft of Anne's spec.

-Art Barstow

[1] http://lists.w3.org/Archives/Public/www-tag/2011Jun/0192.html
Received on Friday, 1 July 2011 16:02:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 July 2011 16:02:45 GMT