Re: HTTPbis and the Same Origin Policy from =JeffH on 2009-12-01 (ietf-http-wg@w3.org from October to December 2009)

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Mon, 30 Nov 2009 19:52:23 -0800
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4B1492F7.90900@KingsMountain.com>

I also had noticed of late that the "Same Origin Policy" is essentially 
undocumented, and is communicated by oral and in-the-code tradition (as Tyler 
notes) -- so I'm happy to see Tyler bring it up.

I agree with the sentiment that it isn't something that is appropriate to 
document in the main-line httpbis I-Ds, although I nominally believe it 
deserves mention in draft-ietf-httpbis-security-properties (which I & Barry 
Leiba are ostensibly editing (new draft will be out before Anaheim)).

It appears to me that the "Browser Security Handbook" 
<http://code.google.com/p/browsersec/> is an appropriate place at this time to 
coalesce details wrt Same Origin Policies of various APIs, and that in fact is 
what Michal is apparently doing. See..

Standard browser security features / Same-origin policy
http://code.google.com/p/browsersec/wiki/Part2#Standard_browser_security_features


=JeffH

Received on Tuesday, 1 December 2009 03:59:33 UTC