IETF Logo Mail Archive

Re: [hybi] #3: Origin-based security model

"hybi issue tracker" <trac@tools.ietf.org> Tue, 18 May 2010 17:27 UTC

Return-Path: <trac@tools.ietf.org>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F397728C1B6 for <hybi@core3.amsl.com>; Tue, 18 May 2010 10:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.369
X-Spam-Level:
X-Spam-Status: No, score=-102.369 tagged_above=-999 required=5 tests=[AWL=0.231, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0FnWetGjCxc for <hybi@core3.amsl.com>; Tue, 18 May 2010 10:27:07 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (unknown [IPv6:2001:1890:1112:1::2a]) by core3.amsl.com (Postfix) with ESMTP id E241528C1F5 for <hybi@ietf.org>; Tue, 18 May 2010 10:21:16 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.71) (envelope-from <trac@tools.ietf.org>) id 1OEQTa-0004I9-Gi; Tue, 18 May 2010 10:21:06 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: hybi issue tracker <trac@tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: ietf@adambarth.com, julian.reschke@gmx.de
X-Trac-Project: hybi
Date: Tue, 18 May 2010 17:21:06 -0000
X-URL: http://tools.ietf.org/hybi/
X-Trac-Ticket-URL: https://svn.tools.ietf.org/wg/hybi/trac/ticket/3#comment:3
Message-ID: <077.19e275f65226a13e72609d9eb0e990e1@tools.ietf.org>
References: <068.ff12b710957526e5ff68a6e40306af50@tools.ietf.org>
X-Trac-Ticket-ID: 3
In-Reply-To: <068.ff12b710957526e5ff68a6e40306af50@tools.ietf.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: ietf@adambarth.com, julian.reschke@gmx.de, hybi@ietf.org
X-SA-Exim-Mail-From: trac@tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Cc: hybi@ietf.org
Subject: Re: [hybi] #3: Origin-based security model
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2010 17:27:08 -0000

#3: Origin-based security model
-------------------------------------------+--------------------------------
 Reporter:  salvatore.loreto@…             |       Owner:     
     Type:  task                           |      Status:  new
 Priority:  minor                          |   Milestone:     
Component:  websocket-requirements         |     Version:     
 Severity:  -                              |    Keywords:     
-------------------------------------------+--------------------------------

Comment(by ietf@…):

 I think you have the dependencies backwards.  XMLHttpRequest and
 WebSockets define a policy by referencing the algorithms in that document.
 The same-origin policy varies by API so it's not possible to write a once-
 and-for-all document that explains it.

 As an example, the <canvas> HTML tag has special rules for handling cross-
 origin image data drawn on the canvas.  If we had written a document
 explaining the same-origin policy before the <canvas> tag existed, we
 wouldn't have been able to anticipate its security needs.

-- 
Ticket URL: <https://svn.tools.ietf.org/wg/hybi/trac/ticket/3#comment:3>
hybi <http://tools.ietf.org/hybi/>
The Hypertext-Bidirectional (HyBi) working group will seek
standardization of one approach to maintain bidirectional
communications between the HTTP client, server and intermediate
entities, which will provide more efficiency compared to the current
use of hanging requests.

v2.23.0 | Report a Bug | By Email