- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 30 Nov 2009 16:20:23 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Nov 30, 2009 at 11:25 AM, Tyler Close <tyler.close@gmail.com> wrote: > On Wed, Nov 25, 2009 at 5:55 PM, Adam Barth <w3c@adambarth.com> wrote: >> Yes. At the application layer. > > Perhaps we're just talking past each other here. I'll try again... > > When creating a new application layer API, the designers must take > into account the SOP protection expected by resources. Currently, > these expectations aren't documented anywhere. In the status-quo, the > application layer API is expected to magically know all the SOP > restrictions and then document how it enforces them. I'm just > suggesting that it would be a good thing to remove some of the magic > here by writing down the SOP restrictions, leaving the application API > with only the task of documenting its enforcement mechanism. I agree with everything you're saying, but you haven't explained why this documentation should be at the protocol layer instead of the application layer. >> I'm not even sure you can articulate the policy coherently without >> referring to application-layer concepts. How would you explain the >> restrictions on images in the HTML Canvas element in terms of HTTP >> protocol messages? > > The response to a GET request must not be made accessible to content > from another origin, unless the target resource has explicitly > indicated otherwise. The HTML <script> tag is a notable violation of > this restriction for content matching a particular syntax. Otherwise, > this rule seems widely enforced. Maciej already responded to this point, but this is a drastic over simplification. Adam
Received on Tuesday, 1 December 2009 00:21:23 UTC