IETF Logo Mail Archive

Re: #322: Origin

Mark Nottingham <mnot@mnot.net> Wed, 14 December 2011 22:54 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C44D21F8B4D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 14 Dec 2011 14:54:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RB7eFNdGeCVJ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 14 Dec 2011 14:54:52 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 4EECE21F8B6C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 14 Dec 2011 14:54:52 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Raxi9-0000GQ-Ak for ietf-http-wg-dist@listhub.w3.org; Wed, 14 Dec 2011 22:54:05 +0000
Received: from aji.keio.w3.org ([133.27.228.206]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1Raxho-0000DL-Oh for ietf-http-wg@listhub.w3.org; Wed, 14 Dec 2011 22:53:44 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by aji.keio.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1Raxhk-0005FO-GW for ietf-http-wg@w3.org; Wed, 14 Dec 2011 22:53:43 +0000
Received: from [192.168.0.100] (unknown [101.169.50.169]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 4774022E258; Wed, 14 Dec 2011 17:50:31 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="iso-8859-1"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <4EE8D749.3080508@gmx.de>
Date: Thu, 15 Dec 2011 09:49:57 +1100
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C9EB9865-2ADE-48B5-A30C-82A9A34853AF@mnot.net>
References: <DDF6EEB5-8482-4B60-BBA3-16E07AC7E003@mnot.net> <4EE8D749.3080508@gmx.de>
To: Julian Reschke <julian.reschke@gmx.de>
X-Mailer: Apple Mail (2.1251.1)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: aji.keio.w3.org 1Raxhk-0005FO-GW 2227a990e59ed200f39f2181ebebda87
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #322: Origin
Archived-At: <http://www.w3.org/mid/C9EB9865-2ADE-48B5-A30C-82A9A34853AF@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11861
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1Raxi9-0000GQ-Ak@frink.w3.org>
Resent-Date: Wed, 14 Dec 2011 22:54:05 +0000

On 15/12/2011, at 4:05 AM, Julian Reschke wrote:

> On 2011-12-14 04:27, Mark Nottingham wrote:
>> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/322>
>> 
>> Since we now have a definition of an Origin, it'd be good to use it where appropriate.
> 
> Not *entirely* convinced.
> 
>> Proposal for p7 2.2:
>> 
>> """A protection space is defined by the origin [ref to origin rfc], combined with the realm value (if present)."""
> 
> We currently have:
> 
> "canonical root URI (the scheme and authority components of the effective request URI; see Section 4.3 of [Part1])"
> 
> That is essentially the same as the Origin, if we add the the comparison rule from <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-17.html#rfc.section.2.7.3>
> 
> My concern is that the Origin spec does all these special things for case we don't need to care of. Maybe we should just define the "origin" of a effective request URI in Part 1, and state that it's the same as the one you'd get following the algorithm in the Origin spec?

Seems reasonable, as long as we don't veer too far into re-defining it.

> Proposal for p6 2.5:
>> 
>> """However, a cache MUST NOT invalidate a URI from a Location or Content-Location header field if that URI does not have the same origin as that of the effective request URI (section 4.3 of [Part1]), as specified in [ref to origin rfc]."""
> 
> Currently: "However, a cache MUST NOT invalidate a URI from a Location or Content-Location header field if the host part of that URI differs from the host part in the effective request URI (Section 4.3 of [Part1]). This helps prevent denial of service attacks."
> 
> So this is *different* from Origin in that it doesn't take the scheme and the port into account. Is this an intentional change?


It's worth talking about. 

My initial reaction is that we shouldn't make a change here. However, there's some value in aligning this scope with others, rather than having so many slightly different ones.



--
Mark Nottingham
http://www.mnot.net/

v2.23.0 | Report a Bug | By Email