W3C home > Mailing lists > Public > www-talk@w3.org > November to December 2008

Re: Fallback flow for /site-meta for top level domains

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 3 Dec 2008 23:58:37 +1100
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>, Jonathan Rees <jar@creativecommons.org>
Message-Id: <770EBDF3-3A8F-46D6-831C-0B51A22700F9@mnot.net>
To: Ben Laurie <benl@google.com>

On 03/12/2008, at 11:32 PM, Ben Laurie wrote:

> On Wed, Dec 3, 2008 at 10:38 AM, Mark Nottingham <mnot@mnot.net>  
> wrote:
>> Considering that one of your core use cases for this is security- 
>> related,
>> I'm surprised that you're effectively arguing that HTTP and HTTPS  
>> URLs with
>> the same authority be collapsed into one name space.
>> Many standards and common practices currently sandbox policy and  
>> metadata to
>> a single URL scheme + authority by default, including robots.txt,  
>> p3p.xml,
>> cookie scoping,
> Surely cookies are scoped to HTTP and HTTPS by default.

It depends on who you talk to; we don't really have a spec for cookies  
that reflects reality, and there are subtle differences in the  
implementations. RFC2109 says
> The user agent keeps separate track of state information that  
> arrives via Set-Cookie response headers from each origin server (as  
> distinguished by name or IP address and port).

... but goes on to contradict that later one.

Authentication is a better example.

>> automated redirection processing in HTTP,
> I don't know what this is.

Argh - sorry, confused a proposal discussed recently with specified  
behaviour. Never mind.

>> cache invalidation, OPTIONS metadata, cross-site scripting
> There are standards for XSS???

There's a de facto standard in the browsers (same origin), and these  
folks are working towards something more formal, maybe;

Mark Nottingham     http://www.mnot.net/
Received on Wednesday, 3 December 2008 12:59:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:33:07 UTC