On Tue, Apr 20, 2021 at 7:23 PM Mark Nottingham <mnot@mnot.net> wrote: > > > On 20 Apr 2021, at 2:28 am, Roy T. Fielding <fielding@gbiv.com> wrote: > > > ... > > RFC6454 was abandoned by WHATWG before the ink dried. The reason we > > did not obsolete it in Semantics is because 6454 is specifically for > user agents > > and defines the Origin header field, whereas the actual origin concept > it uses > > came from the HTTP standard (as in, the origin server). > > > > HTTP has added a string definition of origin consistent with both RFC6454 > > and HTML, specifically to define the processing of authority for https, > but > > without defining the browser-specific processing requirements of HTML. > > > > If the sentence is about the origin concept of HTTP, it should reference > HTTP Semantics. > > > > If it is about javascript processing within an HTML context, not > specific to HTTP, then > > it should reference HTML. > > > > If it is about the Origin header field, it should reference RFC6454. > > > > Or it can just reference all three and call it a day. > > The following W3C specs currently defer to 6454 for the definition of > 'origin' (the concept): > > https://www.w3.org/TR/referrer-policy/ (2017) > https://www.w3.org/TR/CSP2/ (2016) > https://www.w3.org/TR/SRI/ (2016) The newest versions of these: https://w3c.github.io/webappsec-referrer-policy/, https://w3c.github.io/webappsec-csp/, and https://w3c.github.io/webappsec-subresource-integrity/, no longer refer to RFC 6454. This comment doesn't imply any position on the substantive question in this thread. Jeffrey
Received on Wednesday, 21 April 2021 21:48:30 UTC