W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2021

Re: draft-ietf-httpbis-bcp56bis-11, "4.14. Maintaining Application Boundaries"

From: Roy T. Fielding <fielding@gbiv.com>
Date: Mon, 19 Apr 2021 09:28:24 -0700
Cc: Julian Reschke <julian.reschke@gmx.de>, ietf-http-wg@w3.org
Message-Id: <AD34E040-2CF4-490C-A31F-6FA64A63FF3F@gbiv.com>
To: Mark Nottingham <mnot@mnot.net>

> On Apr 19, 2021, at 1:22 AM, Mark Nottingham <mnot@mnot.net> wrote:
> You shock me; they've never done *that* before.
>> On 19 Apr 2021, at 6:20 pm, Julian Reschke <julian.reschke@gmx.de> wrote:
>> Am 19.04.2021 um 10:13 schrieb Mark Nottingham:
>>> BCP56bis is a set of recommendations for applications that build on top of HTTP, not just commentary on those specs. In particular, the section you're referring to is talking about browser mechanisms for security, which do *not* reference HTTP for this definition; they reference Origin.
>>> Cheers,
>> Hmm. HTML5 has its own definition: <https://html.spec.whatwg.org/#origin>.
>> Best regards, Julian

RFC6454 was abandoned by WHATWG before the ink dried. The reason we
did not obsolete it in Semantics is because 6454 is specifically for user agents
and defines the Origin header field, whereas the actual origin concept it uses
came from the HTTP standard (as in, the origin server).

HTTP has added a string definition of origin consistent with both RFC6454
and HTML, specifically to define the processing of authority for https, but
without defining the browser-specific processing requirements of HTML.

If the sentence is about the origin concept of HTTP, it should reference HTTP Semantics.

If it is about javascript processing within an HTML context, not specific to HTTP, then
it should reference HTML.

If it is about the Origin header field, it should reference RFC6454.

Or it can just reference all three and call it a day.

Received on Monday, 19 April 2021 16:28:51 UTC

This archive was generated by hypermail 2.4.0 : Monday, 19 April 2021 16:28:53 UTC