Re: HTTPbis and the Same Origin Policy

On Wed, Nov 25, 2009 at 1:18 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Wed, Nov 25, 2009 at 12:30 PM, Adam Barth <w3c@adambarth.com> wrote:
>> On Wed, Nov 25, 2009 at 12:26 PM, Adam Barth <w3c@adambarth.com> wrote:
>>> On Wed, Nov 25, 2009 at 9:27 AM, Tyler Close <tyler.close@gmail.com> wrote:
>>>> On Wed, Nov 25, 2009 at 7:50 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
>>>>> That being said, defining this in a spec probably *is* a good idea. Did you
>>>>> just volunteer? Note that to produce a spec you actual IETF WG is required.
>>>>
>>>> ;) No, I wasn't trying to throw myself on that grenade. ;) Not yet at
>>>> least. Documenting SOP is a *big* task. I understand why it makes you
>>>> worry about slipping deadlines. So, should the charter be revised to
>>>> exclude the primary security policy that governs use of HTTP? ;)
>>>
>>> The same-origin policy is defined here:
>>>
>>> http://tools.ietf.org/html/draft-abarth-origin
>>
>> Actually, that draft is out of date.  I've just uploaded a new draft,
>> which I've also attached to this message.
>
> That I-D defines an identifier for an origin, but not the Same Origin
> Policy. For example, what document says: a HTTP PUT request cannot be
> sent cross-origin.

Whether one can send an HTTP PUT request to another origin depends on
which API is being used.  For the HTML Form element, the HTML
specification contains this requirement.  For the XMLHttpRequest API,
the XMLHttpRequest specification contains the requirement.

The essence of the same-origin policy is the "sameness" relation
(i.e., how to compute it on URLs), which is what's contained in that
draft.  The details of what actions are restricted to the "same"
origin are details best left to the application layer.

Adam

Received on Wednesday, 25 November 2009 21:26:42 UTC