IETF Logo Mail Archive

Re: [websec] Principles of the Same-Origin Policy

Chris Weber <chris@lookout.net> Sat, 28 May 2011 16:15 UTC

Return-Path: <chris@lookout.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 204F3E0688 for <websec@ietfa.amsl.com>; Sat, 28 May 2011 09:15:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.117
X-Spam-Level:
X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k-YGVMLI2K+W for <websec@ietfa.amsl.com>; Sat, 28 May 2011 09:15:50 -0700 (PDT)
Received: from cl07.gs02.gridserver.com (cl07.gs02.gridserver.com [64.13.232.16]) by ietfa.amsl.com (Postfix) with ESMTP id A5762E0664 for <websec@ietf.org>; Sat, 28 May 2011 09:15:50 -0700 (PDT)
Received: from c-71-231-104-2.hsd1.wa.comcast.net ([71.231.104.2]:40034 helo=[192.168.1.112]) by cl07.gs02.gridserver.com with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.69) (envelope-from <chris@lookout.net>) id 1QQMB3-0005YB-15 for websec@ietf.org; Sat, 28 May 2011 09:15:50 -0700
Message-ID: <4DE11FB8.8050602@lookout.net>
Date: Sat, 28 May 2011 09:15:52 -0700
From: Chris Weber <chris@lookout.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: websec@ietf.org
References: <AANLkTi=nCJSC2ZpY6R_NPJUjODAgiYcRSZTaSxWr8+Fz@mail.gmail.com> <D1D3A6C4-6A29-40AA-8AB2-F69873BD745E@mnot.net> <BANLkTikVCVex5ibzM8EgVWHfC7C6Pu4G3A@mail.gmail.com>
In-Reply-To: <BANLkTikVCVex5ibzM8EgVWHfC7C6Pu4G3A@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Authenticated-User: 17546 chris@lookout.net
Subject: Re: [websec] Principles of the Same-Origin Policy
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 May 2011 16:15:51 -0000

I wanted to suggest that section "3. Origin" include some examples 
presented in a clear and explicit way, such as in a list.

3.1 Examples of Resources With the Same Origin

All of the following resources can be said to have the same origin.

http://example.com
http://example.com:80
http://example.com/path/file
http://example.com

In these cases each URI would be parsed into identical scheme, host, and 
port components.


3.2 Examples of Resources With Different Origin

Each of the following resources can be said to have a different origin 
from the others in this list.

http://example.com
http://example.com:8080
http://www.example.com
https://example.com:80
https://example.com
http://google.com
http://ietf.org

In each case at least one element from the URI scheme, host, and port 
component will differ from the others in the list.

Best regards,
Chris Weber

v2.40.3 | Report a Bug | By Email | System Status