Re: Fallback flow for /site-meta for top level domains

On 03/12/2008, at 11:32 PM, Ben Laurie wrote:

> On Wed, Dec 3, 2008 at 10:38 AM, Mark Nottingham <>  
> wrote:
>> Considering that one of your core use cases for this is security- 
>> related,
>> I'm surprised that you're effectively arguing that HTTP and HTTPS  
>> URLs with
>> the same authority be collapsed into one name space.
>> Many standards and common practices currently sandbox policy and  
>> metadata to
>> a single URL scheme + authority by default, including robots.txt,  
>> p3p.xml,
>> cookie scoping,
> Surely cookies are scoped to HTTP and HTTPS by default.

It depends on who you talk to; we don't really have a spec for cookies  
that reflects reality, and there are subtle differences in the  
implementations. RFC2109 says
> The user agent keeps separate track of state information that  
> arrives via Set-Cookie response headers from each origin server (as  
> distinguished by name or IP address and port).

... but goes on to contradict that later one.

Authentication is a better example.

>> automated redirection processing in HTTP,
> I don't know what this is.

Argh - sorry, confused a proposal discussed recently with specified  
behaviour. Never mind.

>> cache invalidation, OPTIONS metadata, cross-site scripting
> There are standards for XSS???

There's a de facto standard in the browsers (same origin), and these  
folks are working towards something more formal, maybe;

Mark Nottingham

Received on Wednesday, 3 December 2008 12:59:17 UTC