- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 21 Jun 2012 12:31:00 +0200
- To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
- Cc: W3C Web App Security WG <public-webappsec@w3.org>
On Tue, Jun 19, 2012 at 10:53 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote: > We could use some guidance on W3C spec-editing practices such as > communicating markups. We have rough guidelines here: http://wiki.whatwg.org/wiki/Howto_spec They are mostly aimed at API specifications, but apply here too. > I can re-send the revised security considerations section in html if that'll > help. > > I would obtain the present doc source here.. > > http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.src.html > > ..yes? That would be excellent. >> 2) I'm not sure the new text is actually better. E.g. it contains the >> phrase "This specification defines how to authorize an instance of an >> application from a foreign origin, executing in the user agent, to >> access the representation of the resource in an HTTP response." Origin >> is a user-agent centric concept. Turning it around seems unwise and is >> inconsistent with the rest of the specification and any other >> specification on the subject. >> >> It's also not clear to me we need to reiterate what >> http://tools.ietf.org/html/rfc6454 already explains. > > that doesn't match my reading of RFC6454. "origin" (nee "web origin") is > about designating the source of "content", which isn't strictly "user-agent > centric. Right, but it's the user agent that evaluates, compares, and enforces origins. (As should be evident from all the places where origin is used in the platform, including CORS.) -- Anne — Opera Software http://annevankesteren.nl/ http://www.opera.com/
Received on Thursday, 21 June 2012 10:31:32 UTC