- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 29 Jun 2010 17:01:23 +0200
- To: art.barstow@nokia.com, "Thomas Roessler" <tlr@w3.org>
- Cc: "'www-archive'" <www-archive@w3.org>
On Tue, 22 Jun 2010 14:06:23 +0200, Thomas Roessler <tlr@w3.org> wrote: > no news that I'd be aware of. > > Anne, can you take a first stab at the security considerations? As I > said earlier, I'm available to review things, but don't have the > bandwidth to do significant writing this week. I read through the original thread again (several times, I might add) and I'm still not sure what needs to be written down. http://lists.w3.org/Archives/Public/public-webapps/2010JanMar/thread.html#msg202 CONNECT, TRACK, and TRACE already have references with detailed explanations. DNS rebinding is a generic problem. setRequestHeader no longer mentions security reasons. HTTP redirects simply follow the same policy as normal requests. Origin is also a generic problem. I suspect we'll switch references from HTML5 to the origin specification in due course. The SHOULD/MUST confusion has been addressed too. The original thread concluded with looking for volunteers for certain aspects and the question as to whether a generic document was needed. I have attempted to clarify matters somewhat in the specification for setRequestHeader. Other than that I believe said volunteers have not been found. A document has not been written either. It has now been almost six months. We can continue looking I suppose, and we probably should, but at some point we have to cut our losses and move on. -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 29 June 2010 15:02:18 UTC