IETF Logo Mail Archive

Re: [websec] Comments on draft-abarth-principles-of-origin-00, was: Reviews of draft-ietf-websec-origin and principles-of-origin until end of May

Tobias Gondrom <tobias.gondrom@gondrom.org> Tue, 21 June 2011 16:17 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A06E921F8476 for <websec@ietfa.amsl.com>; Tue, 21 Jun 2011 09:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.362
X-Spam-Level:
X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2UrrembeNeGi for <websec@ietfa.amsl.com>; Tue, 21 Jun 2011 09:17:33 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 6987021F843D for <websec@ietf.org>; Tue, 21 Jun 2011 09:17:32 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=omRJWQCLue78K+bFUQFhOA0lK/AXyRDJgK/6Ql/aby5lIXjylCFp6gJZkhQVc6iu9wYBHtCLqtAMP+ij2dZK+c1tFbd60Tp6tZdgwgk9pkMGmqJcPZIokchG2b+57UOp; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 5396 invoked from network); 21 Jun 2011 18:17:03 +0200
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.64?) (94.194.102.93) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 21 Jun 2011 18:17:03 +0200
Message-ID: <4E00C3FE.7040503@gondrom.org>
Date: Tue, 21 Jun 2011 17:17:02 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110516 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: websec@ietf.org
References: <4DF675F7.2050603@KingsMountain.com> <BANLkTike6N0qfKzsUY8VDBV4ONdyWfuZ8Q@mail.gmail.com>
In-Reply-To: <BANLkTike6N0qfKzsUY8VDBV4ONdyWfuZ8Q@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] Comments on draft-abarth-principles-of-origin-00, was: Reviews of draft-ietf-websec-origin and principles-of-origin until end of May
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2011 16:17:33 -0000

Hi Adam,

FWIW my opinion is in favour of merging the two.
Reasons:
1. principles is rather short and gives a good context and introduction 
to origin, so it seems appropriate to merge them both together.
2. if I would consider origin referencing principles, there might be a 
larger number of references, which again I would take as a sign that 
merging them might be the right thing to do.
3. I tend to disagree with Jeff's argument that future references of 
"principles" would be a good reason to keep both drafts separate. I 
believe in this case future work can equally reference from the origin 
draft.

Kind regards and looking forward to reading the new version.

Tobias



On 16/06/11 04:59, Adam Barth wrote:
> I was hoping other folks would weigh into the thread.  In the interest
> of moving forward, I'm going to combine them into one document but try
> to structure the document so that folks who aren't interested in the
> nuts and bolts can still get the high-level picture.  Most of the
> folks who want to refer to the Principles document probably also want
> to refer to the Nuts-and-Bolts doc, so having them together makes that
> easier.
>
> The main tricky thing I'm working on at the moment is the scope /
> perspective issue.  Once I get that hammered out (either tonight or
> tomorrow), I'll upload a new draft.
>
> Thanks,
> Adam
>
>
> On Mon, Jun 13, 2011 at 1:41 PM, =JeffH<Jeff.Hodges@kingsmountain.com>  wrote:
>> Julian asked:
>>
>>> I believe that having two documents make sense; what's the benefit of
>>> merging?
>> Yes, I have the same question now (after belatedly reviewing the document in
>> more detail). I'm thinking Principles of the Same-Origin Policy (PSOP) ought
>> to be a separate doc, because it'll get referenced down the road
>> specifically
>> for this principle stuff, possibly by a wider range of docs than would
>> reference the Origin header spec (which concerns a particular concrete facet
>> of web platform machinery).
>>
>> I also think (on an admittedly quick re-skim) John Kemp's so-called "scope"
>> comments are overall apropos -- I have many of the same thoughts..
>>
>>   Re: [websec] Principles of the Same-Origin Policy
>>   http://www.ietf.org/mail-archive/web/websec/current/msg00257.html
>>
>> You (Adam B) are writing from the perspective of one steeped in browser and
>> web application internals, and seemingly for a similar audience it seems.
>> However, I suspect this doc would likely get read by a wider audience,
>> including those who are trying to learn (or write) about how this complex
>> "web platform" beast works.
>>
>> HTH,
>>
>> =JeffH
>>
>> _______________________________________________
>> websec mailing list
>> websec@ietf.org
>> https://www.ietf.org/mailman/listinfo/websec
>>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec

v2.39.1 | Report a Bug | By Email | System Status