IETF Logo Mail Archive

Re: [websec] Principles of the Same-Origin Policy

Adam Barth <ietf@adambarth.com> Mon, 13 June 2011 17:40 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22A9F11E80AC for <websec@ietfa.amsl.com>; Mon, 13 Jun 2011 10:40:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.613
X-Spam-Level:
X-Spam-Status: No, score=-3.613 tagged_above=-999 required=5 tests=[AWL=-0.636, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CJuETkRQ3UrG for <websec@ietfa.amsl.com>; Mon, 13 Jun 2011 10:40:53 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4579111E80A9 for <websec@ietf.org>; Mon, 13 Jun 2011 10:40:53 -0700 (PDT)
Received: by gxk19 with SMTP id 19so4194356gxk.31 for <websec@ietf.org>; Mon, 13 Jun 2011 10:40:52 -0700 (PDT)
Received: by 10.91.121.20 with SMTP id y20mr5757768agm.5.1307986852610; Mon, 13 Jun 2011 10:40:52 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by mx.google.com with ESMTPS id u64sm2917865yhm.41.2011.06.13.10.40.50 (version=SSLv3 cipher=OTHER); Mon, 13 Jun 2011 10:40:50 -0700 (PDT)
Received: by yxt33 with SMTP id 33so854551yxt.31 for <websec@ietf.org>; Mon, 13 Jun 2011 10:40:50 -0700 (PDT)
Received: by 10.91.100.2 with SMTP id c2mr3212633agm.179.1307986850068; Mon, 13 Jun 2011 10:40:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.36.10 with HTTP; Mon, 13 Jun 2011 10:40:20 -0700 (PDT)
In-Reply-To: <D1D3A6C4-6A29-40AA-8AB2-F69873BD745E@mnot.net>
References: <AANLkTi=nCJSC2ZpY6R_NPJUjODAgiYcRSZTaSxWr8+Fz@mail.gmail.com> <D1D3A6C4-6A29-40AA-8AB2-F69873BD745E@mnot.net>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 13 Jun 2011 10:40:20 -0700
Message-ID: <BANLkTi=gqHOijxXorShFoioyQ2X=-WkS-w@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Principles of the Same-Origin Policy
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2011 17:40:54 -0000

On Fri, May 27, 2011 at 10:24 PM, Mark Nottingham <mnot@mnot.net> wrote:
> A bit late to the party, but FWIW I like this document.

Thanks.

> It brings two questions to mind, however:
>
> * Currently, HTTPbis ticket 270 [1] moves the details of the Upgrade process in HTTP to p2-semantics [2], which "updates" (not obsoletes) RFC2817 [3], the definition of how to upgrade to TLS within HTTP/1.1 (i.e., without changing the scheme). I'm wondering if a stronger statement needs to be made; e.g., obsoleting 2817, or marking it historic. It may also be worth mentioning in your draft as a bad practice.

This was actually already in the document somewhat obliquely, but I've
made it less oblique by adding a reference to RFC 2817.  In some
sense, it's not really RFC 2817's fault because if that had become
popular, then the rest of the security model would have evolved in a
different way.

> * It doesn't mention CORS [4], which is a *much* more fine-grained (and as I've said many times, undesirably chatty) definition of a trust domain. Shouldn't there be some guidance the relationship between these different concepts, when it's appropriate to use them, etc?

I've added a reference to CORS.  I don't want to go into too much
detail, but explaining that servers can opt into sharing their content
more widely seems valuable.

Thanks!

Adam


> 1. <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/240>
> 2. <http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-14>
> 3. <http://www.ietf.org/rfc/rfc2817.txt>
> 4. <http://www.w3.org/TR/cors/>
>
>
> On 22/02/2011, at 9:10 AM, Adam Barth wrote:
>
>> Pursuant to the charter, I've posted an informational draft that
>> "describes the same-origin security model overall:"
>>
>> http://www.ietf.org/id/draft-abarth-principles-of-origin-00.txt
>>
>> I don't expect this document to be very controversial.  I'm sure folks
>> will nitpick me over renaming URL to URI and MIME types to media
>> types, however.  :)
>>
>> Feedback welcome.
>>
>> Adam
>> _______________________________________________
>> websec mailing list
>> websec@ietf.org
>> https://www.ietf.org/mailman/listinfo/websec
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>

v2.40.3 | Report a Bug | By Email | System Status