ACTION-695: Check with Thomas Roessler on whether security review of CORS is coming up in W3C/IETF liaison from Jonathan A Rees on 2012-09-11 (www-tag@w3.org from September 2012)

From: Jonathan A Rees <rees@mumble.net>
Date: Tue, 11 Sep 2012 09:20:05 -0400
To: www-tag@w3.org
Message-ID: <CAGnGFMLqBgbSTc-J6+BxUaA12_ZqmMYO=zQu2DQ7H32imYMRgQ@mail.gmail.com>

ACTION-695: Check with Thomas Roessler on whether security review of
CORS is coming up in W3C/IETF liaison
https://www.w3.org/2001/tag/group/track/actions/695
Set 'pending review'.

The answer was no. Thomas felt that formal IETF review would be
redundant as the Mark Nottingham and Jeff Hodges have already looked
at it. I guess the next question is how the WG responded to the
reviews and how satisfied the reviewers are now.

The purpose of this message is bibliographic (i.e. it gives selections
from some web searches that I did :).

1. Mark Nottingham
"[cors] Review"
http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/0643.html
May 2009

There are about 40 messages in the response thread. I haven't gone to
the effort to check whether or how subsequent drafts (of which there
have been several) addressed Mark's points.

2. Jeff Hodges
"Comments on Cross-Origin Resource Sharing (CORS) of 3-Apr-2012"
http://lists.w3.org/Archives/Public/public-webappsec/2012May/0006.html
May 2012
Jeff's summary of followup:
http://lists.w3.org/Archives/Public/public-webappsec/2012Jun/0030.html

I haven't gone to the effort to check whether or how subsequent drafts
addressed Jeff's points.

3. Giles Hogben et al. (KU Leuven)
"A Security Analysis of Next Generation Web Standards"
https://distrinet.cs.kuleuven.be/projects/HTML5-security/
Copyright 2011
Mentioned on public-webapps
http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0556.html
and here: http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0559.html
PLH brought this report to the TAG's attention at the Dec 2011 F2F:
http://www.w3.org/2001/tag/2011/12/15-minutes#item04

My google search didn't find discussion of this report. Maybe it was
never submitted to any WG. If the TAG wants to talk about web app
security this seems like it might be a great starting point.

I haven't gone to the effort to check whether or how subsequent drafts
addressed the points raised in this report, or even whether the WG
looked at them at all.

Jonathan

Received on Tuesday, 11 September 2012 13:20:39 UTC