- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 30 Nov 2009 11:25:05 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 25, 2009 at 5:55 PM, Adam Barth <w3c@adambarth.com> wrote: > On Wed, Nov 25, 2009 at 2:34 PM, Tyler Close <tyler.close@gmail.com> wrote: >> On Wed, Nov 25, 2009 at 1:54 PM, Adam Barth <w3c@adambarth.com> wrote: >>> Indeed. Security in the application layer is quite complex. That's >>> what makes life interesting. :) >> >> So are you agreeing that there do exist SOP rules that the application >> layer must obey? If so, should we document those rules? > > Yes. At the application layer. Perhaps we're just talking past each other here. I'll try again... When creating a new application layer API, the designers must take into account the SOP protection expected by resources. Currently, these expectations aren't documented anywhere. In the status-quo, the application layer API is expected to magically know all the SOP restrictions and then document how it enforces them. I'm just suggesting that it would be a good thing to remove some of the magic here by writing down the SOP restrictions, leaving the application API with only the task of documenting its enforcement mechanism. > I'm not even sure you can articulate the policy coherently without > referring to application-layer concepts. How would you explain the > restrictions on images in the HTML Canvas element in terms of HTTP > protocol messages? The response to a GET request must not be made accessible to content from another origin, unless the target resource has explicitly indicated otherwise. The HTML <script> tag is a notable violation of this restriction for content matching a particular syntax. Otherwise, this rule seems widely enforced. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Monday, 30 November 2009 19:25:45 UTC