IETF Logo Mail Archive

Re: [websec] Principles of the Same-Origin Policy

Adam Barth <ietf@adambarth.com> Mon, 13 June 2011 18:10 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA1E021F84E0 for <websec@ietfa.amsl.com>; Mon, 13 Jun 2011 11:10:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.515
X-Spam-Level:
X-Spam-Status: No, score=-3.515 tagged_above=-999 required=5 tests=[AWL=-0.538, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e3L3lIwkA1hZ for <websec@ietfa.amsl.com>; Mon, 13 Jun 2011 11:10:43 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id E94F911E8103 for <websec@ietf.org>; Mon, 13 Jun 2011 11:10:27 -0700 (PDT)
Received: by yxt33 with SMTP id 33so876501yxt.31 for <websec@ietf.org>; Mon, 13 Jun 2011 11:10:27 -0700 (PDT)
Received: by 10.91.3.10 with SMTP id f10mr6617282agi.2.1307988627353; Mon, 13 Jun 2011 11:10:27 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by mx.google.com with ESMTPS id c21sm5849380ana.50.2011.06.13.11.10.26 (version=SSLv3 cipher=OTHER); Mon, 13 Jun 2011 11:10:26 -0700 (PDT)
Received: by gxk19 with SMTP id 19so4213577gxk.31 for <websec@ietf.org>; Mon, 13 Jun 2011 11:10:26 -0700 (PDT)
Received: by 10.91.207.11 with SMTP id j11mr6643881agq.17.1307988625987; Mon, 13 Jun 2011 11:10:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.36.10 with HTTP; Mon, 13 Jun 2011 11:09:55 -0700 (PDT)
In-Reply-To: <4DE11FB8.8050602@lookout.net>
References: <AANLkTi=nCJSC2ZpY6R_NPJUjODAgiYcRSZTaSxWr8+Fz@mail.gmail.com> <D1D3A6C4-6A29-40AA-8AB2-F69873BD745E@mnot.net> <BANLkTikVCVex5ibzM8EgVWHfC7C6Pu4G3A@mail.gmail.com> <4DE11FB8.8050602@lookout.net>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 13 Jun 2011 11:09:55 -0700
Message-ID: <BANLkTikYc63M7x-vo6f2B6+VJ-KKqRMdeQ@mail.gmail.com>
To: Chris Weber <chris@lookout.net>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: websec@ietf.org
Subject: Re: [websec] Principles of the Same-Origin Policy
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2011 18:10:45 -0000

On Sat, May 28, 2011 at 9:15 AM, Chris Weber <chris@lookout.net> wrote:
> I wanted to suggest that section "3. Origin" include some examples presented
> in a clear and explicit way, such as in a list.
>
> 3.1 Examples of Resources With the Same Origin
>
> All of the following resources can be said to have the same origin.
>
> http://example.com
> http://example.com:80
> http://example.com/path/file
> http://example.com
>
> In these cases each URI would be parsed into identical scheme, host, and
> port components.
>
>
> 3.2 Examples of Resources With Different Origin
>
> Each of the following resources can be said to have a different origin from
> the others in this list.
>
> http://example.com
> http://example.com:8080
> http://www.example.com
> https://example.com:80
> https://example.com
> http://google.com
> http://ietf.org
>
> In each case at least one element from the URI scheme, host, and port
> component will differ from the others in the list.

Done.

Thanks,
Adam

v2.40.4 | Report a Bug | By Email | System Status