IETF Logo Mail Archive

Re: [websec] Last Call: <draft-ietf-websec-origin-04.txt> (The Web Origin Concept) to Proposed Standard

Adam Barth <ietf@adambarth.com> Sat, 03 September 2011 19:15 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDAA821F8AFD; Sat, 3 Sep 2011 12:15:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.154
X-Spam-Level:
X-Spam-Status: No, score=-3.154 tagged_above=-999 required=5 tests=[AWL=-0.177, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nJbTJiGE1NhP; Sat, 3 Sep 2011 12:15:28 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id DC50A21F8B02; Sat, 3 Sep 2011 12:15:27 -0700 (PDT)
Received: by iakc1 with SMTP id c1so5513694iak.31 for <multiple recipients>; Sat, 03 Sep 2011 12:17:07 -0700 (PDT)
Received: by 10.42.146.66 with SMTP id i2mr2180852icv.444.1315077426440; Sat, 03 Sep 2011 12:17:06 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id m21sm5221279ibf.8.2011.09.03.12.17.04 (version=SSLv3 cipher=OTHER); Sat, 03 Sep 2011 12:17:05 -0700 (PDT)
Received: by iakc1 with SMTP id c1so5513647iak.31 for <multiple recipients>; Sat, 03 Sep 2011 12:17:04 -0700 (PDT)
Received: by 10.231.7.195 with SMTP id e3mr4555101ibe.4.1315077424155; Sat, 03 Sep 2011 12:17:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.199.137 with HTTP; Sat, 3 Sep 2011 12:16:34 -0700 (PDT)
In-Reply-To: <4E60AF4F.2010106@gmx.de>
References: <20110823211953.14482.9265.idtracker@ietfa.amsl.com> <4E567918.4090707@gmx.de> <CAJE5ia96HwjP=jyJeeMv8wGEtjQsakvJiJz==qvfjzA6-unw-w@mail.gmail.com> <4E60AF4F.2010106@gmx.de>
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 03 Sep 2011 12:16:34 -0700
Message-ID: <CAJE5ia8CR8uGzWurpBzE1wEtJTd2PdJTRN=uvYgm1HwqQ6U3sA@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: websec@ietf.org, ietf@ietf.org
Subject: Re: [websec] Last Call: <draft-ietf-websec-origin-04.txt> (The Web Origin Concept) to Proposed Standard
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Sep 2011 19:15:29 -0000

On Fri, Sep 2, 2011 at 3:26 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 2011-09-02 12:20, Adam Barth wrote:
>> I replied to Julian's message on a W3C list.  Julian, is there more
>> discussion you'd like to have about these points?
>> ...
>
> Well, as discussed, the syntax of the Origin header makes it hard to detect
> errors which happen when multiple instances get folded into one; see
> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-latest.html#considerations.for.creating.header.fields>
> -- but I fear it's too late to fix this?

Unfortunately, yes.  Adding quotes would break the large number of
folks using already using this header.

Adam

v2.23.0 | Report a Bug | By Email