IETF Logo Mail Archive

Re: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15

Alexey Melnikov <alexey.melnikov@isode.com> Mon, 22 August 2011 08:49 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B06721F8A62 for <websec@ietfa.amsl.com>; Mon, 22 Aug 2011 01:49:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.527
X-Spam-Level:
X-Spam-Status: No, score=-102.527 tagged_above=-999 required=5 tests=[AWL=0.072, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SwCCi2XHSSGI for <websec@ietfa.amsl.com>; Mon, 22 Aug 2011 01:49:15 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by ietfa.amsl.com (Postfix) with ESMTP id AD6F221F85C0 for <websec@ietf.org>; Mon, 22 Aug 2011 01:49:11 -0700 (PDT)
Received: from [192.168.1.124] ((unknown) [62.3.217.253]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <TlIYRgALhGNn@rufus.isode.com>; Mon, 22 Aug 2011 09:50:14 +0100
X-SMTP-Protocol-Errors: NORDNS
Message-ID: <4E52183F.8030900@isode.com>
Date: Mon, 22 Aug 2011 09:50:07 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Adam Barth <ietf@adambarth.com>
References: <4E248B9C.1070701@gondrom.org> <CAJE5ia9nSRKBaLSWiL4NhfVR6_-U8+DYmaQ5pDNx1JKy7ezCAQ@mail.gmail.com> <4E4FF470.2030804@isode.com> <CAJE5ia-Ak3FOhMOjDDcYubnqGY2A8S=sf-gYYgCEDcXU1y6KCg@mail.gmail.com>
In-Reply-To: <CAJE5ia-Ak3FOhMOjDDcYubnqGY2A8S=sf-gYYgCEDcXU1y6KCg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: websec@ietf.org
Subject: Re: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2011 08:49:16 -0000

Hi Adam,

Adam Barth wrote:

>On Sat, Aug 20, 2011 at 10:52 AM, Alexey Melnikov
><alexey.melnikov@isode.com> wrote:
>  
>
>>Adam Barth wrote:
>>    
>>
>>>I've upload a new version of the draft, which incorporates all the
>>>feedback I've received:
>>>
>>>http://www.ietf.org/id/draft-ietf-websec-origin-03.txt
>>>
>>>Please let me know if I've missed any feedback.
>>>      
>>>
>>Hi Adam,
>>Sorry, I forgot to send out my comments on -02:
>>
>>3.2.1.  Examples
>>
>> All of the following resources have the same origin:
>>
>>
>> http://example.com/
>> http://example.com:80/
>> http://example.com/path/file
>> http://example.com/
>>
>>The first and the last example are identical, was this intentional?
>>    
>>
>
>Nope.  Fixed.
>  
>
>>4.  Origin of a URI
>>
>> The origin of a URI is the value computed by the following algorithm:
>>
>> 1.  If the URI does not use a server-based naming authority, or if
>>     the URI is not an absolute URI, then return a globally unique
>>     identifier.
>>
>>[...]
>>
>> 6.  If there is no port component of the URI:
>>
>>     1.  Let uri-port be the default port for the protocol given by
>>         uri-scheme.
>>
>>     Otherwise:
>>
>>     2.  Let uri-port be the port component of the URI.
>>
>>I know this is an obscure case, but what will this algorithm return for a
>>mailto URI (assuming that it is supported)? I am not entirely clear that # 1
>>applies here.
>>    
>>
>It's a globally unique identifier.  mailto doesn't use a server-based
>naming authority.  For example, here's a nutty mailto URI:
>
>mailto:alexey.melnikov@isode.com,websec@ietf.org
>
>Although the common case of mailto URLs does contain the name of a
>single server, the general case doesn't.  (Admitted, this probably
>isn't as clearly defined as it could be.
>
Exactly my point. At first I thought that you meant URI scheme which 
allows for the <authority> component, but it seems like you are trying 
to define a wider category.

>)
>  
>
>>5.  Comparing Origins
>>
>>    NOTE: A URI is not necessarily same-origin with itself.  For
>>    example, a data URI is not same-origin with itself because data
>>
>>An Informative reference for the "data" URI scheme is needed here.
>>    
>>
>Done.
>  
>
>>    URIs do not use a server-based naming authority and therefore have
>>    globally unique identifiers as origins.
>>
>>
>>6.  Serializing Origins
>>
>> This section defines how to serialize an origin to a unicode string
>> and to an ASCII string.
>>
>>Both Unicode and ASCII need references, I think they are normative.
>>    
>>
>Ok.  Are these the best references?
>
>      <t>This section defines how to serialize an origin to a unicode <xref
>      target="RFC5198" /> string and to an ASCII <xref target="RFC20" />
>      string.</t>
>  
>
Something like:

   [Unicode52]  The Unicode Consortium.  The Unicode Standard, Version
                5.2.0, defined by: "The Unicode Standard, Version
                5.2.0", (Mountain View, CA: The Unicode Consortium,
                2009. ISBN 978-1-936213-00-9).

for Unicode. Probably worth pointing to Unicode 6.0 though.

I think RFC 20 is Ok.

                <http://www.unicode.org/versions/Unicode5.2.0/>.

v2.23.0 | Report a Bug | By Email