- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 25 Nov 2009 09:27:46 -0800
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 25, 2009 at 7:50 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > Tyler Close wrote: >> >> AFAICT, HTTPbis says nothing about the Same Origin Policy (SOP), yet >> this policy is a major constraint on the behavior of many HTTP user >> agents, restricting what HTTP requests can be sent and what HTTP >> responses can be delivered. SOP is not defined by any standard. Should >> HTTPbis step up? >> ... > > Well, HTTPbis (as WG and set of specs) is really constrained in what we're > doing, see <http://www.ietf.org/dyn/wg/charter/httpbis-charter>. And that's > a good thing, because an open-ended charter would make it likely that we > never finish. Quoting from the charter: """ The working group will refine RFC2616 to: ... * Document the security properties of HTTP and its associated echanisms (e.g., Basic and Digest authentication, cookies, TLS) for common applications """ Given that charter, it's hard to see how the WG can escape documenting the Same Origin Policy. It is a necessary part of how common applications use HTTP Auth, cookies and even unadorned HTTP requests and responses. > That being said, defining this in a spec probably *is* a good idea. Did you > just volunteer? Note that to produce a spec you actual IETF WG is required. ;) No, I wasn't trying to throw myself on that grenade. ;) Not yet at least. Documenting SOP is a *big* task. I understand why it makes you worry about slipping deadlines. So, should the charter be revised to exclude the primary security policy that governs use of HTTP? ;) --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 25 November 2009 17:28:26 UTC