Re: [websec] Principles of the Same-Origin Policy
Adam Barth <ietf@adambarth.com> Thu, 24 February 2011 21:39 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: websec@core3.amsl.com
Delivered-To: websec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E82B3A683F for <websec@core3.amsl.com>; Thu, 24 Feb 2011 13:39:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.816
X-Spam-Level:
X-Spam-Status: No, score=-2.816 tagged_above=-999 required=5 tests=[AWL=0.161, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uPdyeZThz420 for <websec@core3.amsl.com>; Thu, 24 Feb 2011 13:39:27 -0800 (PST)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 910F63A680E for <websec@ietf.org>; Thu, 24 Feb 2011 13:39:27 -0800 (PST)
Received: by wyb42 with SMTP id 42so1069392wyb.31 for <websec@ietf.org>; Thu, 24 Feb 2011 13:40:17 -0800 (PST)
Received: by 10.216.25.202 with SMTP id z52mr6365595wez.14.1298583617512; Thu, 24 Feb 2011 13:40:17 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id m50sm4006362wek.32.2011.02.24.13.40.15 (version=SSLv3 cipher=OTHER); Thu, 24 Feb 2011 13:40:16 -0800 (PST)
Received: by iyj8 with SMTP id 8so609894iyj.31 for <websec@ietf.org>; Thu, 24 Feb 2011 13:40:14 -0800 (PST)
Received: by 10.231.59.149 with SMTP id l21mr2161836ibh.196.1298583601157; Thu, 24 Feb 2011 13:40:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.40.7 with HTTP; Thu, 24 Feb 2011 13:39:29 -0800 (PST)
In-Reply-To: <4D66CC25.6070202@stpeter.im>
References: <AANLkTi=nCJSC2ZpY6R_NPJUjODAgiYcRSZTaSxWr8+Fz@mail.gmail.com> <4D66CC25.6070202@stpeter.im>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 24 Feb 2011 13:39:29 -0800
Message-ID: <AANLkTi=nQwmMrmA5cY5GRZbTWPVo6uaWfPbupe_e+A+3@mail.gmail.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: websec@ietf.org
Subject: Re: [websec] Principles of the Same-Origin Policy
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 21:39:28 -0000
On Thu, Feb 24, 2011 at 1:22 PM, Peter Saint-Andre <stpeter@stpeter.im> wrote: > On 2/21/11 3:10 PM, Adam Barth wrote: >> Pursuant to the charter, I've posted an informational draft that >> "describes the same-origin security model overall:" >> >> http://www.ietf.org/id/draft-abarth-principles-of-origin-00.txt >> >> I don't expect this document to be very controversial. I'm sure folks >> will nitpick me over renaming URL to URI and MIME types to media >> types, however. :) > > Adam, what do you see as the relationship or division of work between > draft-ietf-websec-origin and draft-abarth-principles-of-origin? Just what it says in the charter: [[ The working group may split draft-abarth-origin into separate informative and standards track specifications, the former describing same-origin security model, and the latter specifying the nuts-and-bolts of working with origins (computing them from URLs, comparing them to each other, etc). ]] Principles-of-origin is an informative document that explains the underlying concepts of the security model. Draft-ietf-websec-origin is a normative document that explains the low-level details of how to construct, compare, and serialize origins. I don't feel strongly about whether they're separate documents or the same document. I just thought it would be better to gather feedback in an individual draft first in either case. Adam
- [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy John Kemp
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy John Kemp
- Re: [websec] Principles of the Same-Origin Policy Peter Saint-Andre
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Peter Saint-Andre
- [websec] Reviews of draft-ietf-websec-origin and … Tobias Gondrom
- [websec] Comments on draft-abarth-principles-of-o… Julian Reschke
- Re: [websec] Principles of the Same-Origin Policy Mark Nottingham
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Chris Weber
- Re: [websec] Principles of the Same-Origin Policy Chris Weber
- Re: [websec] Comments on draft-abarth-principles-… Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Comments on draft-abarth-principles-… Julian Reschke
- Re: [websec] Comments on draft-abarth-principles-… Adam Barth
- Re: [websec] Principles of the Same-Origin Policy =JeffH
- Re: [websec] Principles of the Same-Origin Policy Adam Barth