IETF Logo Mail Archive

Re: [websec] Last Call: <draft-ietf-websec-origin-04.txt> (The Web Origin Concept) to Proposed Standard

Julian Reschke <julian.reschke@gmx.de> Thu, 25 August 2011 16:31 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBF0321F862F for <websec@ietfa.amsl.com>; Thu, 25 Aug 2011 09:31:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.126
X-Spam-Level:
X-Spam-Status: No, score=-104.126 tagged_above=-999 required=5 tests=[AWL=-1.527, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H29rYDEvK4oL for <websec@ietfa.amsl.com>; Thu, 25 Aug 2011 09:31:13 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id BA4B121F8620 for <websec@ietf.org>; Thu, 25 Aug 2011 09:31:12 -0700 (PDT)
Received: (qmail invoked by alias); 25 Aug 2011 16:32:25 -0000
Received: from p508F9FF9.dip.t-dialin.net (EHLO [192.168.178.36]) [80.143.159.249] by mail.gmx.net (mp064) with SMTP; 25 Aug 2011 18:32:25 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19L+NdgjCJLLBVWXvenrAmu1DxwAcyrJfhlzK1DO6 ONgGuk24XtRmpX
Message-ID: <4E567918.4090707@gmx.de>
Date: Thu, 25 Aug 2011 18:32:24 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0
MIME-Version: 1.0
To: ietf@ietf.org
References: <20110823211953.14482.9265.idtracker@ietfa.amsl.com>
In-Reply-To: <20110823211953.14482.9265.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: websec@ietf.org
Subject: Re: [websec] Last Call: <draft-ietf-websec-origin-04.txt> (The Web Origin Concept) to Proposed Standard
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2011 16:31:14 -0000

Below a few late comments..

6. Serializing Origins

- It really really seems that the two algorithms need to be swapped (the 
first one converts to ASCII, but the second does not).

- Also, I'd prefer a declarative definition.

7. The HTTP Origin header

- header *field*

- the syntax doesn't allow multiple header fields, and the prose says 
clients MUST NOT generate them; what is the recipient supposed to do 
when it get's multiple instances anyway? Is the default approach 
(ignoring them all) good enough? Do we need to warn recipients so that 
they check?

11. References

- the WEBSOCKETS reference should be updated (if a new draft is produced)

Best regards, Julian

v2.23.0 | Report a Bug | By Email