- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 25 Nov 2009 13:18:37 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 25, 2009 at 12:30 PM, Adam Barth <w3c@adambarth.com> wrote: > On Wed, Nov 25, 2009 at 12:26 PM, Adam Barth <w3c@adambarth.com> wrote: >> On Wed, Nov 25, 2009 at 9:27 AM, Tyler Close <tyler.close@gmail.com> wrote: >>> On Wed, Nov 25, 2009 at 7:50 AM, Julian Reschke <julian.reschke@gmx.de> wrote: >>>> That being said, defining this in a spec probably *is* a good idea. Did you >>>> just volunteer? Note that to produce a spec you actual IETF WG is required. >>> >>> ;) No, I wasn't trying to throw myself on that grenade. ;) Not yet at >>> least. Documenting SOP is a *big* task. I understand why it makes you >>> worry about slipping deadlines. So, should the charter be revised to >>> exclude the primary security policy that governs use of HTTP? ;) >> >> The same-origin policy is defined here: >> >> http://tools.ietf.org/html/draft-abarth-origin > > Actually, that draft is out of date. I've just uploaded a new draft, > which I've also attached to this message. That I-D defines an identifier for an origin, but not the Same Origin Policy. For example, what document says: a HTTP PUT request cannot be sent cross-origin. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 25 November 2009 21:19:10 UTC