IETF Logo Mail Archive

Re: #322: Origin

Mark Nottingham <mnot@mnot.net> Sat, 24 December 2011 03:10 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D07711E80AD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 23 Dec 2011 19:10:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cY+bRN8M+0fE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 23 Dec 2011 19:10:36 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id A90F511E80AC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 23 Dec 2011 19:10:36 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ReHym-0004up-Un for ietf-http-wg-dist@listhub.w3.org; Sat, 24 Dec 2011 03:09:00 +0000
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1ReHyN-0004sh-M2 for ietf-http-wg@listhub.w3.org; Sat, 24 Dec 2011 03:08:35 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1ReHyL-0005KY-Rv for ietf-http-wg@w3.org; Sat, 24 Dec 2011 03:08:35 +0000
Received: from [192.168.2.106] (unknown [96.244.180.242]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id A5D2822E1EB; Fri, 23 Dec 2011 22:08:11 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="iso-8859-1"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CAJE5ia_XBhYB-W-F_Tz+-kNq4L8SG+1tN0r4CCbE64yWacjTrA@mail.gmail.com>
Date: Fri, 23 Dec 2011 22:08:10 -0500
Cc: Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F7613285-2F55-43E5-8AE1-21B4A35A3998@mnot.net>
References: <DDF6EEB5-8482-4B60-BBA3-16E07AC7E003@mnot.net> <4EE8D749.3080508@gmx.de> <C9EB9865-2ADE-48B5-A30C-82A9A34853AF@mnot.net> <CAJE5ia_XBhYB-W-F_Tz+-kNq4L8SG+1tN0r4CCbE64yWacjTrA@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
X-Mailer: Apple Mail (2.1251.1)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1ReHyL-0005KY-Rv 0162bc693831856e1ab601f2e70079eb
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #322: Origin
Archived-At: <http://www.w3.org/mid/F7613285-2F55-43E5-8AE1-21B4A35A3998@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11927
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1ReHym-0004up-Un@frink.w3.org>
Resent-Date: Sat, 24 Dec 2011 03:09:00 +0000

On 14/12/2011, at 11:50 PM, Adam Barth wrote:

>>> Proposal for p6 2.5:
>>>> 
>>>> """However, a cache MUST NOT invalidate a URI from a Location or Content-Location header field if that URI does not have the same origin as that of the effective request URI (section 4.3 of [Part1]), as specified in [ref to origin rfc]."""
>>> 
>>> Currently: "However, a cache MUST NOT invalidate a URI from a Location or Content-Location header field if the host part of that URI differs from the host part in the effective request URI (Section 4.3 of [Part1]). This helps prevent denial of service attacks."
>>> 
>>> So this is *different* from Origin in that it doesn't take the scheme and the port into account. Is this an intentional change?
>> 
>> 
>> It's worth talking about.
>> 
>> My initial reaction is that we shouldn't make a change here. However, there's some value in aligning this scope with others, rather than having so many slightly different ones.
> 
> Is there some advantage to ignoring the scheme?  Generally, it's
> better to align all these boundaries along the same lines to avoid the
> "cracks" causing problems (e.g., the security problems with cookies).

That's roughly what I was thinking too.

The deciding factor here, I think, is how much real security advantage there is to aligning these boundaries; making this change has the potential to make current implementations non-conformant, which we should only do if there's significant advantage in terms of security or interoperability.

That said, my experience is that implementation of cache invalidation is spotty, so implementations are already often non-conformance, and making this more simple / aligned is attractive.

What do others think?

Cheers,

--
Mark Nottingham
http://www.mnot.net/

v2.23.0 | Report a Bug | By Email