W3C home > Mailing lists > Public > public-webapi@w3.org > March 2006

Re: Security was ACTION-54: Whatwg restricts XHR more headers then we do

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 20 Mar 2006 10:13:21 -0800
Message-ID: <441EF0C1.4010503@sicking.cc>
To: Charles McCathieNevile <chaals@opera.com>, Web APIs WG <public-webapi@w3.org>

Charles McCathieNevile wrote:
> 
> On Sat, 18 Mar 2006 03:17:55 +0100, Jonas Sicking <jonas@sicking.cc> wrote:
> 
>> I have an action to ask Hixie why the whatwg spec for XHR restricts 
>> more headers then our current draft.
>>
>> He said that the spec is basically still a work in progress and that 
>> he had gotten many comments on it that were not yet addressed.
>>
>> His recommendation is that we go ahead with the spec as is and collect 
>> comments on our own.
>>
>> The intended reason for the restrictions were simply security.
> 
> As I have said before, I have a strong preference that we do not place 
> restrictions on specs for security reasons. It makes sense that we have 
> a security issues section in a spec, noting things that are commonly 
> done by user agents, but I am not convinced that it makes sense to 
> prohibit things which have use cases in a trusted environment just so 
> the Foo spec can be complete and stand-alone in an untrusted 
> environment.

I completely agree. Though I think some of the headers makes sense to 
always limit since they would otherwise break the HTTP spec, like 'host' 
for example.

/ Jonas
Received on Monday, 20 March 2006 18:13:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT