[websec] Protocol Action: 'The Web Origin Concept' to Proposed Standard (draft-ietf-websec-origin-06.txt)
The IESG <iesg-secretary@ietf.org> Wed, 05 October 2011 18:02 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48C0E11E80C2; Wed, 5 Oct 2011 11:02:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.511
X-Spam-Level:
X-Spam-Status: No, score=-102.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQmZ+W+Yi9VX; Wed, 5 Oct 2011 11:02:13 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7011411E80C6; Wed, 5 Oct 2011 11:02:13 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 3.60
Message-ID: <20111005180213.1858.93149.idtracker@ietfa.amsl.com>
Date: Wed, 05 Oct 2011 11:02:13 -0700
Cc: websec mailing list <websec@ietf.org>, websec chair <websec-chairs@tools.ietf.org>, RFC Editor <rfc-editor@rfc-editor.org>
Subject: [websec] Protocol Action: 'The Web Origin Concept' to Proposed Standard (draft-ietf-websec-origin-06.txt)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2011 18:02:14 -0000
The IESG has approved the following document: - 'The Web Origin Concept' (draft-ietf-websec-origin-06.txt) as a Proposed Standard This document is the product of the Web Security Working Group. The IESG contact persons are Peter Saint-Andre and Pete Resnick. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-websec-origin/ Technical Summary This document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document defines how to determine the origin of a URI, how to serialize an origin into a string, and an HTTP header, named "Origin", that indicates which origins are associated with an HTTP request. Working Group Summary There was nothing particularly worth noting about the WG process. Specifically there was no strong controversy about this document. The document received sufficient review from WG participants and individuals outside the WG. Furthermore, reviews also covered document versions before their adoption by the WG or even prior to the formation of the WebSec WG (i.e., draft-abarth-origin and draft-abarth-principles-of-origin). Document Quality The origin concept is widely used in the web browser and application environment to determine trusted sources. Still it may be noteworthy that some current implementations of the origin concept may differ in whether all three elements of the origin-tuple must be identical to constitute identity of origin (in some current browser implementations the scheme or port might receive less weight). The text regarding comparison of internationalized domain names benefited from extensive discussion with Patrik Faltstrom, Jeff Hodges, John Klensin, and Pete Resnick.