W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: comments on Cross-Origin Resource Sharing (CORS) of 3-Apr-2012 (was: hey hey)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 21 Jun 2012 12:31:00 +0200
Message-ID: <CADnb78gv=Pm0Fquvv8OoOF1AB1jV_R751gBJxiPJaUu9cv=M2w@mail.gmail.com>
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: W3C Web App Security WG <public-webappsec@w3.org>
On Tue, Jun 19, 2012 at 10:53 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
> We could use some guidance on W3C spec-editing practices such as
> communicating markups.

We have rough guidelines here:

http://wiki.whatwg.org/wiki/Howto_spec

They are mostly aimed at API specifications, but apply here too.


> I can re-send the revised security considerations section in html if that'll
> help.
>
> I would obtain the present doc source here..
>
>  http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.src.html
>
> ..yes?

That would be excellent.


>> 2) I'm not sure the new text is actually better. E.g. it contains the
>> phrase "This specification defines how to authorize an instance of an
>> application from a foreign origin, executing in the user agent, to
>> access the representation of the resource in an HTTP response." Origin
>> is a user-agent centric concept. Turning it around seems unwise and is
>> inconsistent with the rest of the specification and any other
>> specification on the subject.
>>
>> It's also not clear to me we need to reiterate what
>> http://tools.ietf.org/html/rfc6454 already explains.
>
> that doesn't match my reading of RFC6454. "origin" (nee "web origin") is
> about designating the source of "content", which isn't strictly "user-agent
> centric.

Right, but it's the user agent that evaluates, compares, and enforces
origins. (As should be evident from all the places where origin is
used in the platform, including CORS.)


-- 
Anne — Opera Software
http://annevankesteren.nl/
http://www.opera.com/
Received on Thursday, 21 June 2012 10:31:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 21 June 2012 10:31:33 GMT