Re: [websec] LC nits on draft-ietf-websec-origin-04, Re: Fwd: WG Last Call on draft-ietf-websec-origin-02 until Aug-15
Adam Barth <ietf@adambarth.com> Fri, 26 August 2011 08:12 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E05621F8B14 for <websec@ietfa.amsl.com>; Fri, 26 Aug 2011 01:12:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.194
X-Spam-Level:
X-Spam-Status: No, score=-3.194 tagged_above=-999 required=5 tests=[AWL=-0.217, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A+bOk3seoc0v for <websec@ietfa.amsl.com>; Fri, 26 Aug 2011 01:12:11 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id D007C21F8B0D for <websec@ietf.org>; Fri, 26 Aug 2011 01:12:11 -0700 (PDT)
Received: by gyf3 with SMTP id 3so3022209gyf.31 for <websec@ietf.org>; Fri, 26 Aug 2011 01:13:27 -0700 (PDT)
Received: by 10.150.2.8 with SMTP id 8mr2094412ybb.234.1314346407146; Fri, 26 Aug 2011 01:13:27 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by mx.google.com with ESMTPS id r28sm1875088yhm.24.2011.08.26.01.13.26 (version=SSLv3 cipher=OTHER); Fri, 26 Aug 2011 01:13:26 -0700 (PDT)
Received: by gyf3 with SMTP id 3so3022193gyf.31 for <websec@ietf.org>; Fri, 26 Aug 2011 01:13:26 -0700 (PDT)
Received: by 10.231.2.194 with SMTP id 2mr1709733ibk.38.1314346406115; Fri, 26 Aug 2011 01:13:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.208.69 with HTTP; Fri, 26 Aug 2011 01:12:56 -0700 (PDT)
In-Reply-To: <4E575475.30609@gmx.de>
References: <4E248B9C.1070701@gondrom.org> <860551CF-FC8D-4C82-86ED-04E1AF4293E3@w3.org> <4E553839.1000302@stpeter.im> <4E566BBD.5010507@gmx.de> <CAJE5ia8WQaF2KVrQY+AB=dF3Zwe-J4WgAHz3GRmDaurLR_gCuQ@mail.gmail.com> <4E573FF2.5000203@gmx.de> <CAJE5ia9epvih+45X=4x70_E7-q+d8FWDdd7gnX4=7c9aFed5Rg@mail.gmail.com> <4E575475.30609@gmx.de>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 26 Aug 2011 01:12:56 -0700
Message-ID: <CAJE5ia8i_tFfm1PoTpu74Op7DXxbKRQDa8hHuG2ke_1yYUxTcw@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: websec <websec@ietf.org>
Subject: Re: [websec] LC nits on draft-ietf-websec-origin-04, Re: Fwd: WG Last Call on draft-ietf-websec-origin-02 until Aug-15
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2011 08:12:13 -0000
[-public-web-security, to avoid cross-posting too much] On Fri, Aug 26, 2011 at 1:08 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > On 2011-08-26 09:58, Adam Barth wrote: >> ... >> That could well be important if the Origin header is used in other >> protocols, such as CORS. Would you recommend requiring the first or >> the last instance? >> ... > > (cc'ing the IETF WG; I was replying to the wrong email thread) > > I think the right thing to do would be to recommend one of: > > - treat the message as invalid, or > > - ignore the header field (whatever that means...). > > Picking one of the two seems to be the wrong approach. Ok. Maybe the best solution is to treat the header as if it contained the value "null", which basically means the server doesn't know which origin sent the message. That what we recommend user agents do when they get confused about what value to put in the header. Adam
- [websec] WG Last Call on draft-ietf-websec-origin… Tobias Gondrom
- [websec] lower-casing in the idna-canonicalized h… Chris Weber
- Re: [websec] lower-casing in the idna-canonicaliz… Adam Barth
- Re: [websec] WG Last Call on draft-ietf-websec-or… Adam Barth
- Re: [websec] WG Last Call on draft-ietf-websec-or… Alexey Melnikov
- Re: [websec] WG Last Call on draft-ietf-websec-or… Adam Barth
- Re: [websec] WG Last Call on draft-ietf-websec-or… Alexey Melnikov
- Re: [websec] WG Last Call on draft-ietf-websec-or… Adam Barth
- Re: [websec] WG Last Call on draft-ietf-websec-or… Gervase Markham
- Re: [websec] WG Last Call on draft-ietf-websec-or… Adam Barth
- Re: [websec] LC nits on draft-ietf-websec-origin-… Julian Reschke
- Re: [websec] LC nits on draft-ietf-websec-origin-… Adam Barth
- Re: [websec] LC nits on draft-ietf-websec-origin-… Julian Reschke
- Re: [websec] LC nits on draft-ietf-websec-origin-… Adam Barth