- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 3 Dec 2008 23:58:37 +1100
- To: Ben Laurie <benl@google.com>
- Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>, Jonathan Rees <jar@creativecommons.org>
On 03/12/2008, at 11:32 PM, Ben Laurie wrote: > On Wed, Dec 3, 2008 at 10:38 AM, Mark Nottingham <mnot@mnot.net> > wrote: >> >> Considering that one of your core use cases for this is security- >> related, >> I'm surprised that you're effectively arguing that HTTP and HTTPS >> URLs with >> the same authority be collapsed into one name space. >> >> Many standards and common practices currently sandbox policy and >> metadata to >> a single URL scheme + authority by default, including robots.txt, >> p3p.xml, >> cookie scoping, > > Surely cookies are scoped to HTTP and HTTPS by default. It depends on who you talk to; we don't really have a spec for cookies that reflects reality, and there are subtle differences in the implementations. RFC2109 says > The user agent keeps separate track of state information that > arrives via Set-Cookie response headers from each origin server (as > distinguished by name or IP address and port). ... but goes on to contradict that later one. Authentication is a better example. >> automated redirection processing in HTTP, > > I don't know what this is. Argh - sorry, confused a proposal discussed recently with specified behaviour. Never mind. >> cache invalidation, OPTIONS metadata, cross-site scripting > > There are standards for XSS??? There's a de facto standard in the browsers (same origin), and these folks are working towards something more formal, maybe; http://www.w3.org/2006/WSC/ -- Mark Nottingham http://www.mnot.net/
Received on Wednesday, 3 December 2008 12:59:17 UTC