Re: HTTPbis and the Same Origin Policy from Maciej Stachowiak on 2009-12-01 (ietf-http-wg@w3.org from October to December 2009)

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 30 Nov 2009 18:41:11 -0800
To: Adam Barth <w3c@adambarth.com>
Cc: Tyler Close <tyler.close@gmail.com>, Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
Message-id: <1F2C1D2F-1AFD-47C2-90D7-937097E65A14@apple.com>

On Nov 30, 2009, at 5:23 PM, Adam Barth wrote:

> 1) The same-origin policy applies regardless of which protocols are
> used (e.g, FTP, Gopher, HTTP).
> 2) The same-origin policy applies differently to different
> application-layer APIs (e.g., XMLHttpRequest, <canvas>, @font-face).

3) The same-origin policy is originally and primarily about scripting,  
not networking. It has only lately and incidentally come to encompass  
networking as well, largely to prevent working around the restrictions  
on client-side scripting in the browser. It's impossible to explain  
the restrictions on networking without reference to the original  
scripting context.

Regards,
Maciej

Received on Tuesday, 1 December 2009 02:41:51 UTC