- From: Andrew Sullivan <ajs@anvilwalrusden.com>
- Date: Thu, 10 May 2012 02:25:58 -0400
- To: Henrik Nordström <henrik@henriknordstrom.net>
- Cc: Maciej Stachowiak <mjs@apple.com>, Peter Saint-Andre <stpeter@stpeter.im>, Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>
Hi, I'm responding to two messages at once because I didn't receive the earlier of these. I should note that I'm not actually a subscriber to any w3c list, and so if one wants me to address a particular objection one needs to cc: me for the time being. I appreciate the comments, however! On Thu, May 10, 2012 at 07:17:40AM +0200, Henrik Nordström wrote: > ons 2012-05-09 klockan 22:10 -0700 skrev Maciej Stachowiak: > > > Treating separate domains as same-origin based on DNS records seems > > extremely dangerous I'm not sure how I can respond to this objection, given that the entire idea of "same origin" without DNS is hard for me to understand. What do you mean by it? I think the draft actually points out that, if both sides don't agree or you're not using DNSSEC (or both), there are problems. Is that not clear enough? > Further, the user-agent may be using proxies, not using or even having > access to DNS. Indeed, and I thought I called that out as one of the central problems: 6. Limitations of the approach […] Finally, in many environments the system hosting the application has only proxied access to the Internet, and cannot query the DNS directly. It is not clear how such clients could ever possibly retrieve the BOUND record for a name. Is that not clear enough? What would make it clearer? Best, A -- Andrew Sullivan ajs@anvilwalrusden.com
Received on Thursday, 10 May 2012 06:27:22 UTC