Re: [websec] Comments on draft-abarth-principles-of-origin-00, was: Reviews of draft-ietf-websec-origin and principles-of-origin - until end of May
Adam Barth <ietf@adambarth.com> Mon, 13 June 2011 16:47 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FB9611E8149 for <websec@ietfa.amsl.com>; Mon, 13 Jun 2011 09:47:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.677
X-Spam-Level:
X-Spam-Status: No, score=-3.677 tagged_above=-999 required=5 tests=[AWL=-0.700, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YXLVx70PHR80 for <websec@ietfa.amsl.com>; Mon, 13 Jun 2011 09:47:11 -0700 (PDT)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2CBC311E8154 for <websec@ietf.org>; Mon, 13 Jun 2011 09:47:11 -0700 (PDT)
Received: by yie30 with SMTP id 30so1339695yie.31 for <websec@ietf.org>; Mon, 13 Jun 2011 09:47:10 -0700 (PDT)
Received: by 10.151.130.7 with SMTP id h7mr6384219ybn.366.1307983630399; Mon, 13 Jun 2011 09:47:10 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by mx.google.com with ESMTPS id b4sm682987ybo.23.2011.06.13.09.47.08 (version=SSLv3 cipher=OTHER); Mon, 13 Jun 2011 09:47:08 -0700 (PDT)
Received: by gxk19 with SMTP id 19so4158929gxk.31 for <websec@ietf.org>; Mon, 13 Jun 2011 09:47:08 -0700 (PDT)
Received: by 10.91.207.26 with SMTP id j26mr6395122agq.206.1307983628068; Mon, 13 Jun 2011 09:47:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.36.10 with HTTP; Mon, 13 Jun 2011 09:46:36 -0700 (PDT)
In-Reply-To: <4DCCF025.3070702@gmx.de>
References: <AANLkTi=nCJSC2ZpY6R_NPJUjODAgiYcRSZTaSxWr8+Fz@mail.gmail.com> <4D66CC25.6070202@stpeter.im> <AANLkTi=nQwmMrmA5cY5GRZbTWPVo6uaWfPbupe_e+A+3@mail.gmail.com> <4DCCC54F.6090107@gondrom.org> <4DCCF025.3070702@gmx.de>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 13 Jun 2011 09:46:36 -0700
Message-ID: <BANLkTince8hZK9XBskZtoqaNK5FSJO=EZA@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: websec@ietf.org
Subject: Re: [websec] Comments on draft-abarth-principles-of-origin-00, was: Reviews of draft-ietf-websec-origin and principles-of-origin - until end of May
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2011 16:47:12 -0000
On Fri, May 13, 2011 at 1:47 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > Terminology: replace "URL" by "URI" throughout. Done. > Replace "MIME type" by "media type" throughout. Done. > Add proper references. Which references would you like to see added? > A: Although the DNS has hierarchical delegation, the trust > relationships between host names vary by deployment. For example, at > many educational institutions, students can host content at > https://example.edu/~student/, but that does not mean a document > authored by a student should be part of the same origin (i.e., > represent the same principal) as a web application for managing > grades hosted at https://grades.example.edu/. > > Comment: Maybe point out that under this arrangement, the URIs for different > students *will* be in the same origin? Done. > 4. Authority > > It's a bit unfortunate that "authority" is used by RFC 3986 (URI) for > something slightly different. If we don't want to change the term (which I > assume) then it might be a good idea to clarify that this is not the same > thing as the "authority" component of a URI as defined in > <http://greenbytes.de/tech/webdav/rfc3986.html#rfc.section.3.2>. Done. Thanks! Adam
- [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy John Kemp
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy John Kemp
- Re: [websec] Principles of the Same-Origin Policy Peter Saint-Andre
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Peter Saint-Andre
- [websec] Reviews of draft-ietf-websec-origin and … Tobias Gondrom
- [websec] Comments on draft-abarth-principles-of-o… Julian Reschke
- Re: [websec] Principles of the Same-Origin Policy Mark Nottingham
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Chris Weber
- Re: [websec] Principles of the Same-Origin Policy Chris Weber
- Re: [websec] Comments on draft-abarth-principles-… Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Comments on draft-abarth-principles-… Julian Reschke
- Re: [websec] Comments on draft-abarth-principles-… Adam Barth
- Re: [websec] Principles of the Same-Origin Policy =JeffH
- Re: [websec] Principles of the Same-Origin Policy Adam Barth