- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 25 Nov 2009 14:34:03 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 25, 2009 at 1:54 PM, Adam Barth <w3c@adambarth.com> wrote: > On Wed, Nov 25, 2009 at 1:34 PM, Tyler Close <tyler.close@gmail.com> wrote: >> My impression is that the undefined consensus understanding of the >> Same Origin Policy incorporates the rule that no API (not just a >> specific API, such as HTML form) can allow a cross-origin PUT, unless >> the target resource has somehow opted out of SOP protection. > > I think you're confusing two things: > > 1) What is an origin? > 2) What restrictions ought we to place on cross-origin interactions? No, I think I understand the difference between a thing and what you can do with that thing. I think my point comes down to a rephrasing of 2): 2) What restrictions have been placed on cross-origin interactions and must forever be obeyed by all APIs? >> This >> rule, and others like it, are the source of much of the complexity in >> CORS. These rules are not left to the application layer. > > Indeed. Security in the application layer is quite complex. That's > what makes life interesting. :) So are you agreeing that there do exist SOP rules that the application layer must obey? If so, should we document those rules? --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 25 November 2009 22:34:44 UTC