Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

On Sun, Feb 22, 2009 at 6:14 PM, Mark Nottingham <mnot@mnot.net> wrote:
> A common use case (we think) will be to have
> <http://www.us.example.com/host-meta> HTTP redirect to
> <http://www.hq.example.com/host-meta>, or some other URI that's not on the
> same origin (as you defined it).

What behavior do you think is desirable here?  From a security point
of view, I would expect the host-meta from http://www.hq.example.com
to apply to http://www.hq.example.com (and not to
http://www.us.example.com).

> I think that the disconnect here is that your use case for 'origin' and this
> one -- while similar in many ways -- differ in this one, for good reasons.

I don't understand this comment.  In draft-abarth-origin, we need to
compute the origin of a HTTP request.  In this draft, we're interested
in computing the origin of an HTTP response.

> As such, I'm wondering whether or not it's useful to use the term 'origin'
> in this draft -- potentially going as far as renaming it (again!) to
> /origin-meta, although Eran is a bit concerned about confusing early
> adopters (with good cause, I think).

I don't have strong feelings about naming, but I wouldn't call it
origin-meta because different applications of the file might have
different (i.e., non-origin) scopes.

Adam

Received on Monday, 23 February 2009 07:10:45 UTC