- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 21 Apr 2021 12:00:07 +1000
- To: Roy Fielding <fielding@gbiv.com>
- Cc: "Julian F. Reschke" <julian.reschke@gmx.de>, ietf-http-wg@w3.org
> On 20 Apr 2021, at 2:28 am, Roy T. Fielding <fielding@gbiv.com> wrote: > ... > RFC6454 was abandoned by WHATWG before the ink dried. The reason we > did not obsolete it in Semantics is because 6454 is specifically for user agents > and defines the Origin header field, whereas the actual origin concept it uses > came from the HTTP standard (as in, the origin server). > > HTTP has added a string definition of origin consistent with both RFC6454 > and HTML, specifically to define the processing of authority for https, but > without defining the browser-specific processing requirements of HTML. > > If the sentence is about the origin concept of HTTP, it should reference HTTP Semantics. > > If it is about javascript processing within an HTML context, not specific to HTTP, then > it should reference HTML. > > If it is about the Origin header field, it should reference RFC6454. > > Or it can just reference all three and call it a day. The following W3C specs currently defer to 6454 for the definition of 'origin' (the concept): https://www.w3.org/TR/referrer-policy/ https://www.w3.org/TR/CSP2/ https://www.w3.org/TR/SRI/ Fetch says that it deprecates (hah) the Origin header, but not the concept. HTML defines the term but does not state its relationship to 6454. Regardless, of all of the possible references here, 6454 is the best because it actually explains the higher-level concepts regarding trust and the same-origin policy (which isn't documented anywhere well, but is at least discussed here). That's the point of the reference; giving three references is overkill, and unfriendly to readers. Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Wednesday, 21 April 2021 02:00:42 UTC