- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 27 Mar 2009 17:08:37 +0100
- To: Sam Ruby <rubys@intertwingly.net>
- Cc: Dan Connolly <connolly@w3.org>, public-ietf-w3c <public-ietf-w3c@w3.org>, Mark Nottingham <mnot@mnot.net>
On 27 Mar 2009, at 17:00, Sam Ruby wrote: > Thomas Roessler wrote: >> On 27 Mar 2009, at 14:42, Thomas Roessler wrote: >>> Thanks Sam and Dan! >>> >>> From the notes, I can't quite tell whether Origin and CORS got >>> discussed together or separately. That doesn't really match >>> reality, as there's (at least in the view of some) >> "Discussing them separately ignores an important motivation for >> Origin" is what I mean -- sorry for the unclear words. > > They were discussed separately. As you point out, that may have > been unfortunate. I was unaware of the connection between the two. That's what I feared. Mark, any ideas on how to manage next steps in that discussion? (I'd hope we can avoid the "cross site request forgery is not a security hole" rathole this time...) >>> value to using the same header for CORS and more general cross >>> site request forgery prevention. That aspect is, in my view, an >>> important element in the cost/benefit analysis for Origin. >>> >>> Concerning "JavaScript sandboxing", I wonder what precisely people >>> at the meeting had in mind. Is this another instance of the topic >>> area of last December's workshop >>> >>> http://www.w3.org/2008/security-ws/ >>> >>> ... or is something different meant? > > That was mentioned in passing, simply as an area where additional > security review may be warranted. It wasn't elaborated further. Thanks for clarifying.
Received on Friday, 27 March 2009 16:08:49 UTC