IETF Logo Mail Archive

Re: [websec] LC nits on draft-ietf-websec-origin-04, Re: Fwd: WG Last Call on draft-ietf-websec-origin-02 until Aug-15

Julian Reschke <julian.reschke@gmx.de> Fri, 26 August 2011 08:07 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3D2221F8B15 for <websec@ietfa.amsl.com>; Fri, 26 Aug 2011 01:07:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.184
X-Spam-Level:
X-Spam-Status: No, score=-104.184 tagged_above=-999 required=5 tests=[AWL=-1.585, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4VU30yV1EwpK for <websec@ietfa.amsl.com>; Fri, 26 Aug 2011 01:07:09 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id A088F21F8B14 for <websec@ietf.org>; Fri, 26 Aug 2011 01:07:08 -0700 (PDT)
Received: (qmail invoked by alias); 26 Aug 2011 08:08:21 -0000
Received: from p508FA4C2.dip.t-dialin.net (EHLO [192.168.178.36]) [80.143.164.194] by mail.gmx.net (mp067) with SMTP; 26 Aug 2011 10:08:21 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/pGYpmmMrp6RC9Ik71HTOnXJrUXB7zJbaUstLdNZ fSX5XAwyqfHtWP
Message-ID: <4E575475.30609@gmx.de>
Date: Fri, 26 Aug 2011 10:08:21 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0
MIME-Version: 1.0
To: Adam Barth <w3c@adambarth.com>
References: <4E248B9C.1070701@gondrom.org> <860551CF-FC8D-4C82-86ED-04E1AF4293E3@w3.org> <4E553839.1000302@stpeter.im> <4E566BBD.5010507@gmx.de> <CAJE5ia8WQaF2KVrQY+AB=dF3Zwe-J4WgAHz3GRmDaurLR_gCuQ@mail.gmail.com> <4E573FF2.5000203@gmx.de> <CAJE5ia9epvih+45X=4x70_E7-q+d8FWDdd7gnX4=7c9aFed5Rg@mail.gmail.com>
In-Reply-To: <CAJE5ia9epvih+45X=4x70_E7-q+d8FWDdd7gnX4=7c9aFed5Rg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: public-web-security <public-web-security@w3.org>, websec <websec@ietf.org>
Subject: Re: [websec] LC nits on draft-ietf-websec-origin-04, Re: Fwd: WG Last Call on draft-ietf-websec-origin-02 until Aug-15
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2011 08:07:09 -0000

On 2011-08-26 09:58, Adam Barth wrote:
> ...
> That could well be important if the Origin header is used in other
> protocols, such as CORS.  Would you recommend requiring the first or
> the last instance?
> ...

(cc'ing the IETF WG; I was replying to the wrong email thread)

I think the right thing to do would be to recommend one of:

- treat the message as invalid, or

- ignore the header field (whatever that means...).

Picking one of the two seems to be the wrong approach.

Best regards, Julian

v2.23.0 | Report a Bug | By Email