IETF Logo Mail Archive

Re: [websec] Comments on draft-abarth-principles-of-origin-00, was: Reviews of draft-ietf-websec-origin and principles-of-origin until end of May

Peter Saint-Andre <stpeter@stpeter.im> Tue, 21 June 2011 16:38 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 019D611E8245 for <websec@ietfa.amsl.com>; Tue, 21 Jun 2011 09:38:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.507
X-Spam-Level:
X-Spam-Status: No, score=-102.507 tagged_above=-999 required=5 tests=[AWL=0.092, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-IQ642nChzY for <websec@ietfa.amsl.com>; Tue, 21 Jun 2011 09:38:14 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 46CB811E8075 for <websec@ietf.org>; Tue, 21 Jun 2011 09:38:14 -0700 (PDT)
Received: from dhcp-64-101-72-207.cisco.com (dhcp-64-101-72-207.cisco.com [64.101.72.207]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id AC56240126; Tue, 21 Jun 2011 10:38:51 -0600 (MDT)
Message-ID: <4E00C8F4.8070103@stpeter.im>
Date: Tue, 21 Jun 2011 10:38:12 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
References: <4DF675F7.2050603@KingsMountain.com> <BANLkTike6N0qfKzsUY8VDBV4ONdyWfuZ8Q@mail.gmail.com> <4E00C3FE.7040503@gondrom.org>
In-Reply-To: <4E00C3FE.7040503@gondrom.org>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms090405020405080900090907"
Cc: websec@ietf.org
Subject: Re: [websec] Comments on draft-abarth-principles-of-origin-00, was: Reviews of draft-ietf-websec-origin and principles-of-origin until end of May
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2011 16:38:15 -0000

<hat type='individual'/>

Agreed. Plus, at some point in the future, people will look for "that
RFC about same origin" and it would be confusing for them to find two
instead of one. Best to put it all in one place, I think.

On 6/21/11 10:17 AM, Tobias Gondrom wrote:
> Hi Adam,
> 
> FWIW my opinion is in favour of merging the two.
> Reasons:
> 1. principles is rather short and gives a good context and introduction
> to origin, so it seems appropriate to merge them both together.
> 2. if I would consider origin referencing principles, there might be a
> larger number of references, which again I would take as a sign that
> merging them might be the right thing to do.
> 3. I tend to disagree with Jeff's argument that future references of
> "principles" would be a good reason to keep both drafts separate. I
> believe in this case future work can equally reference from the origin
> draft.
> 
> Kind regards and looking forward to reading the new version.
> 
> Tobias
> 
> 
> 
> On 16/06/11 04:59, Adam Barth wrote:
>> I was hoping other folks would weigh into the thread.  In the interest
>> of moving forward, I'm going to combine them into one document but try
>> to structure the document so that folks who aren't interested in the
>> nuts and bolts can still get the high-level picture.  Most of the
>> folks who want to refer to the Principles document probably also want
>> to refer to the Nuts-and-Bolts doc, so having them together makes that
>> easier.
>>
>> The main tricky thing I'm working on at the moment is the scope /
>> perspective issue.  Once I get that hammered out (either tonight or
>> tomorrow), I'll upload a new draft.
>>
>> Thanks,
>> Adam
>>
>>
>> On Mon, Jun 13, 2011 at 1:41 PM,
>> =JeffH<Jeff.Hodges@kingsmountain.com>  wrote:
>>> Julian asked:
>>>
>>>> I believe that having two documents make sense; what's the benefit of
>>>> merging?
>>> Yes, I have the same question now (after belatedly reviewing the
>>> document in
>>> more detail). I'm thinking Principles of the Same-Origin Policy
>>> (PSOP) ought
>>> to be a separate doc, because it'll get referenced down the road
>>> specifically
>>> for this principle stuff, possibly by a wider range of docs than would
>>> reference the Origin header spec (which concerns a particular
>>> concrete facet
>>> of web platform machinery).
>>>
>>> I also think (on an admittedly quick re-skim) John Kemp's so-called
>>> "scope"
>>> comments are overall apropos -- I have many of the same thoughts..
>>>
>>>   Re: [websec] Principles of the Same-Origin Policy
>>>   http://www.ietf.org/mail-archive/web/websec/current/msg00257.html
>>>
>>> You (Adam B) are writing from the perspective of one steeped in
>>> browser and
>>> web application internals, and seemingly for a similar audience it
>>> seems.
>>> However, I suspect this doc would likely get read by a wider audience,
>>> including those who are trying to learn (or write) about how this
>>> complex
>>> "web platform" beast works.
>>>
>>> HTH,
>>>
>>> =JeffH
>>>

v2.39.1 | Report a Bug | By Email | System Status