Re: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15
Adam Barth <ietf@adambarth.com> Sat, 20 August 2011 19:46 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44F1E21F85F1 for <websec@ietfa.amsl.com>; Sat, 20 Aug 2011 12:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.237
X-Spam-Level:
X-Spam-Status: No, score=-3.237 tagged_above=-999 required=5 tests=[AWL=-0.260, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GZ0HYrfjQn7h for <websec@ietfa.amsl.com>; Sat, 20 Aug 2011 12:46:32 -0700 (PDT)
Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by ietfa.amsl.com (Postfix) with ESMTP id A18D621F85B8 for <websec@ietf.org>; Sat, 20 Aug 2011 12:46:32 -0700 (PDT)
Received: by iye1 with SMTP id 1so7098702iye.27 for <websec@ietf.org>; Sat, 20 Aug 2011 12:47:33 -0700 (PDT)
Received: by 10.43.134.72 with SMTP id ib8mr728270icc.94.1313869652805; Sat, 20 Aug 2011 12:47:32 -0700 (PDT)
Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx.google.com with ESMTPS id j4sm3919370icx.3.2011.08.20.12.47.30 (version=SSLv3 cipher=OTHER); Sat, 20 Aug 2011 12:47:31 -0700 (PDT)
Received: by iye1 with SMTP id 1so7098659iye.27 for <websec@ietf.org>; Sat, 20 Aug 2011 12:47:30 -0700 (PDT)
Received: by 10.231.60.139 with SMTP id p11mr1731600ibh.73.1313869650058; Sat, 20 Aug 2011 12:47:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.41.207 with HTTP; Sat, 20 Aug 2011 12:47:00 -0700 (PDT)
In-Reply-To: <4E4FF470.2030804@isode.com>
References: <4E248B9C.1070701@gondrom.org> <CAJE5ia9nSRKBaLSWiL4NhfVR6_-U8+DYmaQ5pDNx1JKy7ezCAQ@mail.gmail.com> <4E4FF470.2030804@isode.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 20 Aug 2011 12:47:00 -0700
Message-ID: <CAJE5ia-Ak3FOhMOjDDcYubnqGY2A8S=sf-gYYgCEDcXU1y6KCg@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: websec@ietf.org
Subject: Re: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Aug 2011 19:46:33 -0000
On Sat, Aug 20, 2011 at 10:52 AM, Alexey Melnikov <alexey.melnikov@isode.com> wrote: > Adam Barth wrote: > >> I've upload a new version of the draft, which incorporates all the >> feedback I've received: >> >> http://www.ietf.org/id/draft-ietf-websec-origin-03.txt >> >> Please let me know if I've missed any feedback. >> > Hi Adam, > Sorry, I forgot to send out my comments on -02: > > 3.2.1. Examples > > All of the following resources have the same origin: > > > http://example.com/ > http://example.com:80/ > http://example.com/path/file > http://example.com/ > > The first and the last example are identical, was this intentional? Nope. Fixed. > 4. Origin of a URI > > The origin of a URI is the value computed by the following algorithm: > > 1. If the URI does not use a server-based naming authority, or if > the URI is not an absolute URI, then return a globally unique > identifier. > > [...] > > 6. If there is no port component of the URI: > > 1. Let uri-port be the default port for the protocol given by > uri-scheme. > > Otherwise: > > 2. Let uri-port be the port component of the URI. > > I know this is an obscure case, but what will this algorithm return for a > mailto URI (assuming that it is supported)? I am not entirely clear that # 1 > applies here. It's a globally unique identifier. mailto doesn't use a server-based naming authority. For example, here's a nutty mailto URI: mailto:alexey.melnikov@isode.com,websec@ietf.org Although the common case of mailto URLs does contain the name of a single server, the general case doesn't. (Admitted, this probably isn't as clearly defined as it could be.) > 5. Comparing Origins > > NOTE: A URI is not necessarily same-origin with itself. For > example, a data URI is not same-origin with itself because data > > An Informative reference for the "data" URI scheme is needed here. Done. > URIs do not use a server-based naming authority and therefore have > globally unique identifiers as origins. > > > 6. Serializing Origins > > This section defines how to serialize an origin to a unicode string > and to an ASCII string. > > Both Unicode and ASCII need references, I think they are normative. Ok. Are these the best references? <t>This section defines how to serialize an origin to a unicode <xref target="RFC5198" /> string and to an ASCII <xref target="RFC20" /> string.</t> Thanks, Adam
- [websec] WG Last Call on draft-ietf-websec-origin… Tobias Gondrom
- [websec] lower-casing in the idna-canonicalized h… Chris Weber
- Re: [websec] lower-casing in the idna-canonicaliz… Adam Barth
- Re: [websec] WG Last Call on draft-ietf-websec-or… Adam Barth
- Re: [websec] WG Last Call on draft-ietf-websec-or… Alexey Melnikov
- Re: [websec] WG Last Call on draft-ietf-websec-or… Adam Barth
- Re: [websec] WG Last Call on draft-ietf-websec-or… Alexey Melnikov
- Re: [websec] WG Last Call on draft-ietf-websec-or… Adam Barth
- Re: [websec] WG Last Call on draft-ietf-websec-or… Gervase Markham
- Re: [websec] WG Last Call on draft-ietf-websec-or… Adam Barth
- Re: [websec] LC nits on draft-ietf-websec-origin-… Julian Reschke
- Re: [websec] LC nits on draft-ietf-websec-origin-… Adam Barth
- Re: [websec] LC nits on draft-ietf-websec-origin-… Julian Reschke
- Re: [websec] LC nits on draft-ietf-websec-origin-… Adam Barth