- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 2 Jul 2013 08:55:40 -0700
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Cc: Sam Pullara <spullara@gmail.com>, Shigeki Ohtsu <ohtsu@iij.ad.jp>, HTTP Working Group <ietf-http-wg@w3.org>
On 2 July 2013 01:18, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > Would this be the first case of the same origin policy (SOP) > being used within HTTP, or is that already done somewhere? Actually yes. Sort of. HTTPS (2818) only requires that a server offer a certificate that contains the domain name (and chains to a trusted issuer, etc...). That means, that we're actually being MORE restrictive by adding port to the set of things to check. The only reason that this becomes an issue is server push (as above). This does impose some constraints on implementations, but I'll refer you to http://tools.ietf.org/html/draft-unicorn-httpbis-http2-00#section-10.3 where this is discussed. 10.1 touches on the issue as well, but I'm less happy with that text.
Received on Tuesday, 2 July 2013 15:56:09 UTC