W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: comments on Cross-Origin Resource Sharing (CORS) of 3-Apr-2012 (was: hey hey)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 21 Jun 2012 12:31:00 +0200
Message-ID: <CADnb78gv=Pm0Fquvv8OoOF1AB1jV_R751gBJxiPJaUu9cv=M2w@mail.gmail.com>
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: W3C Web App Security WG <public-webappsec@w3.org>
On Tue, Jun 19, 2012 at 10:53 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
> We could use some guidance on W3C spec-editing practices such as
> communicating markups.

We have rough guidelines here:


They are mostly aimed at API specifications, but apply here too.

> I can re-send the revised security considerations section in html if that'll
> help.
> I would obtain the present doc source here..
>  http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.src.html
> ..yes?

That would be excellent.

>> 2) I'm not sure the new text is actually better. E.g. it contains the
>> phrase "This specification defines how to authorize an instance of an
>> application from a foreign origin, executing in the user agent, to
>> access the representation of the resource in an HTTP response." Origin
>> is a user-agent centric concept. Turning it around seems unwise and is
>> inconsistent with the rest of the specification and any other
>> specification on the subject.
>> It's also not clear to me we need to reiterate what
>> http://tools.ietf.org/html/rfc6454 already explains.
> that doesn't match my reading of RFC6454. "origin" (nee "web origin") is
> about designating the source of "content", which isn't strictly "user-agent
> centric.

Right, but it's the user agent that evaluates, compares, and enforces
origins. (As should be evident from all the places where origin is
used in the platform, including CORS.)

Anne — Opera Software
Received on Thursday, 21 June 2012 10:31:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:28 UTC