W3C home > Mailing lists > Public > public-web-security@w3.org > May 2012

Re: same-origin assertions in the DNS (Fwd: [apps-discuss] draft-sullivan-domain-origin-assert-00)

From: Maciej Stachowiak <mjs@apple.com>
Date: Sun, 13 May 2012 03:41:23 -0700
Cc: Henrik Nordström <henrik@henriknordstrom.net>, Peter Saint-Andre <stpeter@stpeter.im>, Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>
Message-id: <230D1558-23B6-4AFE-9035-3DAC6740CD90@apple.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>

On May 9, 2012, at 11:25 PM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:

> Hi,
> I'm responding to two messages at once because I didn't receive the
> earlier of these.  I should note that I'm not actually a subscriber to
> any w3c list, and so if one wants me to address a particular objection
> one needs to cc: me for the time being.  I appreciate the comments,
> however!
> On Thu, May 10, 2012 at 07:17:40AM +0200, Henrik Nordström wrote:
>> ons 2012-05-09 klockan 22:10 -0700 skrev Maciej Stachowiak:
>>> Treating separate domains as same-origin based on DNS records seems
>>> extremely dangerous
> I'm not sure how I can respond to this objection, given that the
> entire idea of "same origin" without DNS is hard for me to understand.
> What do you mean by it?  I think the draft actually points out that,
> if both sides don't agree or you're not using DNSSEC (or both), there
> are problems.  Is that not clear enough?

The draft doesn't clearly state what to do with the information in BOUND records, so it's not clear enough. Does the spec require supporting the cases where "there are problems"? Does it require not doing so? It's impossible to tell. 

Received on Sunday, 13 May 2012 10:44:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:20 UTC