- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 25 Nov 2009 13:34:58 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 25, 2009 at 1:25 PM, Adam Barth <w3c@adambarth.com> wrote: > Whether one can send an HTTP PUT request to another origin depends on > which API is being used. For the HTML Form element, the HTML > specification contains this requirement. For the XMLHttpRequest API, > the XMLHttpRequest specification contains the requirement. > > The essence of the same-origin policy is the "sameness" relation > (i.e., how to compute it on URLs), which is what's contained in that > draft. The details of what actions are restricted to the "same" > origin are details best left to the application layer. My impression is that the undefined consensus understanding of the Same Origin Policy incorporates the rule that no API (not just a specific API, such as HTML form) can allow a cross-origin PUT, unless the target resource has somehow opted out of SOP protection. This rule, and others like it, are the source of much of the complexity in CORS. These rules are not left to the application layer. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 25 November 2009 21:35:34 UTC