On 03/12/2008, at 11:32 PM, Ben Laurie wrote: > On Wed, Dec 3, 2008 at 10:38 AM, Mark Nottingham <mnot@mnot.net> > wrote: >> >> Considering that one of your core use cases for this is security- >> related, >> I'm surprised that you're effectively arguing that HTTP and HTTPS >> URLs with >> the same authority be collapsed into one name space. >> >> Many standards and common practices currently sandbox policy and >> metadata to >> a single URL scheme + authority by default, including robots.txt, >> p3p.xml, >> cookie scoping, > > Surely cookies are scoped to HTTP and HTTPS by default. It depends on who you talk to; we don't really have a spec for cookies that reflects reality, and there are subtle differences in the implementations. RFC2109 says > The user agent keeps separate track of state information that > arrives via Set-Cookie response headers from each origin server (as > distinguished by name or IP address and port). ... but goes on to contradict that later one. Authentication is a better example. >> automated redirection processing in HTTP, > > I don't know what this is. Argh - sorry, confused a proposal discussed recently with specified behaviour. Never mind. >> cache invalidation, OPTIONS metadata, cross-site scripting > > There are standards for XSS??? There's a de facto standard in the browsers (same origin), and these folks are working towards something more formal, maybe; http://www.w3.org/2006/WSC/ -- Mark Nottingham http://www.mnot.net/Received on Wednesday, 3 December 2008 12:59:17 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:38:52 GMT