- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 30 Jun 2010 09:41:12 +0100
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Thomas Roessler <tlr@w3.org>, art.barstow@nokia.com, "'www-archive'" <www-archive@w3.org>
I should be able to look at this in more detail later this week. Sorry that this didn't work out within the time frame we had planned for. -- Thomas Roessler, W3C <tlr@w3.org> (@roessler) On 29 Jun 2010, at 16:01, Anne van Kesteren wrote: > On Tue, 22 Jun 2010 14:06:23 +0200, Thomas Roessler <tlr@w3.org> wrote: >> no news that I'd be aware of. >> >> Anne, can you take a first stab at the security considerations? As I said earlier, I'm available to review things, but don't have the bandwidth to do significant writing this week. > > I read through the original thread again (several times, I might add) and I'm still not sure what needs to be written down. > > http://lists.w3.org/Archives/Public/public-webapps/2010JanMar/thread.html#msg202 > > CONNECT, TRACK, and TRACE already have references with detailed explanations. > > DNS rebinding is a generic problem. > > setRequestHeader no longer mentions security reasons. > > HTTP redirects simply follow the same policy as normal requests. > > Origin is also a generic problem. I suspect we'll switch references from HTML5 to the origin specification in due course. > > The SHOULD/MUST confusion has been addressed too. > > > The original thread concluded with looking for volunteers for certain aspects and the question as to whether a generic document was needed. I have attempted to clarify matters somewhat in the specification for setRequestHeader. Other than that I believe said volunteers have not been found. A document has not been written either. It has now been almost six months. We can continue looking I suppose, and we probably should, but at some point we have to cut our losses and move on. > > > -- > Anne van Kesteren > http://annevankesteren.nl/ >
Received on Wednesday, 30 June 2010 10:49:58 UTC