- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Mon, 19 Apr 2021 09:28:24 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Julian Reschke <julian.reschke@gmx.de>, ietf-http-wg@w3.org
> On Apr 19, 2021, at 1:22 AM, Mark Nottingham <mnot@mnot.net> wrote: > > You shock me; they've never done *that* before. > > >> On 19 Apr 2021, at 6:20 pm, Julian Reschke <julian.reschke@gmx.de> wrote: >> >> Am 19.04.2021 um 10:13 schrieb Mark Nottingham: >>> BCP56bis is a set of recommendations for applications that build on top of HTTP, not just commentary on those specs. In particular, the section you're referring to is talking about browser mechanisms for security, which do *not* reference HTTP for this definition; they reference Origin. >>> >>> Cheers, >> Hmm. HTML5 has its own definition: <https://html.spec.whatwg.org/#origin>. >> >> Best regards, Julian RFC6454 was abandoned by WHATWG before the ink dried. The reason we did not obsolete it in Semantics is because 6454 is specifically for user agents and defines the Origin header field, whereas the actual origin concept it uses came from the HTTP standard (as in, the origin server). HTTP has added a string definition of origin consistent with both RFC6454 and HTML, specifically to define the processing of authority for https, but without defining the browser-specific processing requirements of HTML. If the sentence is about the origin concept of HTTP, it should reference HTTP Semantics. If it is about javascript processing within an HTML context, not specific to HTTP, then it should reference HTML. If it is about the Origin header field, it should reference RFC6454. Or it can just reference all three and call it a day. ....Roy
Received on Monday, 19 April 2021 16:28:51 UTC