W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 22 Feb 2009 23:10:09 -0800
Message-ID: <7789133a0902222310h48ffaf6fjdac5f141ea5c00ac@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
On Sun, Feb 22, 2009 at 6:14 PM, Mark Nottingham <mnot@mnot.net> wrote:
> A common use case (we think) will be to have
> <http://www.us.example.com/host-meta> HTTP redirect to
> <http://www.hq.example.com/host-meta>, or some other URI that's not on the
> same origin (as you defined it).

What behavior do you think is desirable here?  From a security point
of view, I would expect the host-meta from http://www.hq.example.com
to apply to http://www.hq.example.com (and not to
http://www.us.example.com).

> I think that the disconnect here is that your use case for 'origin' and this
> one -- while similar in many ways -- differ in this one, for good reasons.

I don't understand this comment.  In draft-abarth-origin, we need to
compute the origin of a HTTP request.  In this draft, we're interested
in computing the origin of an HTTP response.

> As such, I'm wondering whether or not it's useful to use the term 'origin'
> in this draft -- potentially going as far as renaming it (again!) to
> /origin-meta, although Eran is a bit concerned about confusing early
> adopters (with good cause, I think).

I don't have strong feelings about naming, but I wouldn't call it
origin-meta because different applications of the file might have
different (i.e., non-origin) scopes.

Adam
Received on Monday, 23 February 2009 07:10:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT