W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: CORS/UMP to become joint WebApps and WebAppSec joint deliverable

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 3 Aug 2011 12:58:37 +0200
Cc: Thomas Roessler <tlr@w3.org>, "Arthur Barstow" <art.barstow@nokia.com>, "Maciej Stachowiak" <mjs@apple.com>, public-webapps <public-webapps@w3.org>, public-web-security <public-web-security@w3.org>
Message-Id: <3A79FD1A-1D89-43C4-8D6A-B9926F50FBA4@w3.org>
To: Anne van Kesteren <annevk@opera.com>
On Aug 3, 2011, at 10:21 , Anne van Kesteren wrote:

> On Tue, 02 Aug 2011 14:37:31 +0200, Arthur Barstow <art.barstow@nokia.com> wrote:
>> The From-Origin spec is WebApps'; it is _not_ a joint deliverable with the proposed WebAppSec WG.
> 
> I assumed it was because of "Secure Cross-Domain Framing" and the significant overlap.

It's certainly in scope for that group, though it's not obvious that from-origin is the approach that group would want to take.

In this particular case, the question isn't so much what deliverable is in what WG, but rather what the relationship is going to be with x-frame-options (draft under development at the IETF), a possible CSP based approach, and things like the timing-allow-from header.  The rest will eventually follow from that.

Sounds like a good discussion for TPAC to me.
Received on Wednesday, 3 August 2011 10:58:47 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:46 GMT