Re: HTTPbis and the Same Origin Policy

On Wed, Nov 25, 2009 at 2:34 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Wed, Nov 25, 2009 at 1:54 PM, Adam Barth <w3c@adambarth.com> wrote:
>> Indeed.  Security in the application layer is quite complex.  That's
>> what makes life interesting.  :)
>
> So are you agreeing that there do exist SOP rules that the application
> layer must obey? If so, should we document those rules?

Yes.  At the application layer.

I'm not even sure you can articulate the policy coherently without
referring to application-layer concepts.  How would you explain the
restrictions on images in the HTML Canvas element in terms of HTTP
protocol messages?

Adam

Received on Thursday, 26 November 2009 01:56:41 UTC