Re: [websec] [Ietf-message-headers] HTTP 'Origin' permanent and provisional

SM <> Wed, 13 February 2013 20:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E2E0B21F862A; Wed, 13 Feb 2013 12:32:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.575
X-Spam-Status: No, score=-102.575 tagged_above=-999 required=5 tests=[AWL=0.024, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fq52B15z7SeQ; Wed, 13 Feb 2013 12:32:42 -0800 (PST)
Received: from ( [IPv6:2001:470:f329:1::1]) by (Postfix) with ESMTP id D968521F8628; Wed, 13 Feb 2013 12:32:42 -0800 (PST)
Received: from (IDENT:sm@localhost []) (authenticated bits=0) by (8.14.5/8.14.5) with ESMTP id r1DKWNAk022825; Wed, 13 Feb 2013 12:32:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail2010; t=1360787550; bh=rKCQeBEaYrM6QabYxf4Be641CyHF8zAzK8R7/pBgjF0=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=2r1JVwcmdmQhVM76wyeXITjKwzJntFNx6ka08T465l21/7k0AtuyQno5nxRlRA3F3 h7CrpuQpGgnPh7xrA+hG9NAfGbBOMiNxkI/gN2sD9o0c4MwRmWGHr7V0C9WE6CZxDk vpHeVyqz4HzetrNzNNBt9I4HKAuY9lh7kZwGQDDk=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; t=1360787550;; bh=rKCQeBEaYrM6QabYxf4Be641CyHF8zAzK8R7/pBgjF0=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=MCUI+R3iAdM79XZyCchYaAzJO0zo/ah1Q8G8lfZVWTaEALaV6efBICwB6cP8aqPCy k1qClCLiWGd+WEH3NRhm1hrX99ZQoaL6+7Vr08Edl+2csu76glDMl8qSwgi+JmrQRW AO7GRIKH+uleg/UjH22k4FUY8VGly+O5/1LyYlTQ=
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Wed, 13 Feb 2013 12:32:12 -0800
To: Julian Reschke <>
From: SM <>
In-Reply-To: <>
References: <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc:, Bjoern Hoehrmann <>,
Subject: Re: [websec] [Ietf-message-headers] HTTP 'Origin' permanent and provisional
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Feb 2013 20:32:44 -0000

Hi Julian,
At 12:24 13-02-2013, Julian Reschke wrote:
>You make it sound as if it's ok to run two different registries with 
>partly overlapping values. It's not. It's a bug in the way IANA 
>handles this. This is what needs to be fixed.

It's easier to fix the bug first.

The following could be used:

   "When a new entry is recorded in the permanent message header field
    registry, IANA will remove any corresponding entries (with the same
    field name and protocol) from the provisional registry."

That avoids overlapping values.