Re: [websec] Comments on draft-abarth-principles-of-origin-00, was: Reviews of draft-ietf-websec-origin and principles-of-origin until end of May
Adam Barth <ietf@adambarth.com> Thu, 16 June 2011 03:59 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFA2111E8111 for <websec@ietfa.amsl.com>; Wed, 15 Jun 2011 20:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.31
X-Spam-Level:
X-Spam-Status: No, score=-3.31 tagged_above=-999 required=5 tests=[AWL=-0.333, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P3C-fObIuJJ3 for <websec@ietfa.amsl.com>; Wed, 15 Jun 2011 20:59:33 -0700 (PDT)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0DF7611E80C7 for <websec@ietf.org>; Wed, 15 Jun 2011 20:59:32 -0700 (PDT)
Received: by yie30 with SMTP id 30so842451yie.31 for <websec@ietf.org>; Wed, 15 Jun 2011 20:59:32 -0700 (PDT)
Received: by 10.150.229.17 with SMTP id b17mr487357ybh.61.1308196772467; Wed, 15 Jun 2011 20:59:32 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by mx.google.com with ESMTPS id 1sm711916yhs.81.2011.06.15.20.59.30 (version=SSLv3 cipher=OTHER); Wed, 15 Jun 2011 20:59:31 -0700 (PDT)
Received: by ywp31 with SMTP id 31so840104ywp.31 for <websec@ietf.org>; Wed, 15 Jun 2011 20:59:30 -0700 (PDT)
Received: by 10.91.67.33 with SMTP id u33mr491690agk.202.1308196770079; Wed, 15 Jun 2011 20:59:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.65.13 with HTTP; Wed, 15 Jun 2011 20:59:00 -0700 (PDT)
In-Reply-To: <4DF675F7.2050603@KingsMountain.com>
References: <4DF675F7.2050603@KingsMountain.com>
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 15 Jun 2011 20:59:00 -0700
Message-ID: <BANLkTike6N0qfKzsUY8VDBV4ONdyWfuZ8Q@mail.gmail.com>
To: =JeffH <Jeff.Hodges@kingsmountain.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Comments on draft-abarth-principles-of-origin-00, was: Reviews of draft-ietf-websec-origin and principles-of-origin until end of May
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2011 03:59:33 -0000
I was hoping other folks would weigh into the thread. In the interest of moving forward, I'm going to combine them into one document but try to structure the document so that folks who aren't interested in the nuts and bolts can still get the high-level picture. Most of the folks who want to refer to the Principles document probably also want to refer to the Nuts-and-Bolts doc, so having them together makes that easier. The main tricky thing I'm working on at the moment is the scope / perspective issue. Once I get that hammered out (either tonight or tomorrow), I'll upload a new draft. Thanks, Adam On Mon, Jun 13, 2011 at 1:41 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote: > Julian asked: > >> I believe that having two documents make sense; what's the benefit of >> merging? > > Yes, I have the same question now (after belatedly reviewing the document in > more detail). I'm thinking Principles of the Same-Origin Policy (PSOP) ought > to be a separate doc, because it'll get referenced down the road > specifically > for this principle stuff, possibly by a wider range of docs than would > reference the Origin header spec (which concerns a particular concrete facet > of web platform machinery). > > I also think (on an admittedly quick re-skim) John Kemp's so-called "scope" > comments are overall apropos -- I have many of the same thoughts.. > > Re: [websec] Principles of the Same-Origin Policy > http://www.ietf.org/mail-archive/web/websec/current/msg00257.html > > You (Adam B) are writing from the perspective of one steeped in browser and > web application internals, and seemingly for a similar audience it seems. > However, I suspect this doc would likely get read by a wider audience, > including those who are trying to learn (or write) about how this complex > "web platform" beast works. > > HTH, > > =JeffH > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec >
- [websec] Comments on draft-abarth-principles-of-o… =JeffH
- Re: [websec] Comments on draft-abarth-principles-… Adam Barth
- Re: [websec] Comments on draft-abarth-principles-… Peter Saint-Andre
- Re: [websec] Comments on draft-abarth-principles-… Tobias Gondrom
- Re: [websec] Comments on draft-abarth-principles-… Peter Saint-Andre
- Re: [websec] Comments on draft-abarth-principles-… Tobias Gondrom