Re: [websec] Last Call: <draft-ietf-websec-origin-04.txt> (The Web Origin Concept) to Proposed Standard
Frank Ellermann <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com> Fri, 02 September 2011 22:19 UTC
Return-Path: <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3B5621F8D14; Fri, 2 Sep 2011 15:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.949
X-Spam-Level:
X-Spam-Status: No, score=-102.949 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, FROM_LOCAL_NOVOWEL=0.5, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hTsTOQ3WtBU9; Fri, 2 Sep 2011 15:19:54 -0700 (PDT)
Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com [209.85.210.45]) by ietfa.amsl.com (Postfix) with ESMTP id 217E621F8D12; Fri, 2 Sep 2011 15:19:54 -0700 (PDT)
Received: by pzk33 with SMTP id 33so10534665pzk.18 for <multiple recipients>; Fri, 02 Sep 2011 15:21:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=TRyRgILSJH9TK8zpdSTlnG8wuTaQGj2z7uhjxaWIcRI=; b=EndVk8JyVDzt/IjrSeTsQfz3Sst5ccSTCNfmU7hK1yOpXVD0bcOrbqXc5Muf8MnOXZ 14URcJsl7AF1MtexvIb8bjivk8yZkSkDMcdAAfdB4rbWp1yyLmvY49kbL+Gs1iwWsArn hwXC+Mj8BNuxu8qpD5BGZvqoLYv6Rx/Arlb04=
Received: by 10.68.34.34 with SMTP id w2mr2758941pbi.291.1315002091065; Fri, 02 Sep 2011 15:21:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.98.5 with HTTP; Fri, 2 Sep 2011 15:20:51 -0700 (PDT)
In-Reply-To: <24011A01-BF9D-4A63-A7DE-554399FDAB96@gbiv.com>
References: <20110823211953.14482.9265.idtracker@ietfa.amsl.com> <712C43CF-5F59-4F3D-B88F-11B3CEE52591@gbiv.com> <CAHhFybpey5-e7KYkUb-tsBAb_+KSykvQ1w4vUuQL7xyguYXAcQ@mail.gmail.com> <24011A01-BF9D-4A63-A7DE-554399FDAB96@gbiv.com>
From: Frank Ellermann <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com>
Date: Sat, 03 Sep 2011 00:20:51 +0200
Message-ID: <CAHhFybpQO96YhH_aMgViQCKoTf7cmqH+YojzrV=1gf23hY0-0Q@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Sat, 03 Sep 2011 02:24:05 -0700
Cc: websec <websec@ietf.org>, ietf@ietf.org
Subject: Re: [websec] Last Call: <draft-ietf-websec-origin-04.txt> (The Web Origin Concept) to Proposed Standard
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Sep 2011 22:19:54 -0000
On 2 September 2011 23:15, Roy T. Fielding wrote: >> this is still "avoid *any* folding", and not "avoid more >> than one folding". > That is the intention. There is no reason to fold in HTTP > outside of the message/http media type. As a result you get an intentional difference from <obs-FWS> in messages, because HTTP has no line length limit. This <obs-FWS> is about "insane" foldings, and your <obs-fold> is about "unnecessary or insane" foldings. I'm not sure that a sound but unnecessary folding is really always a bad idea, e.g., I don't use programming languages with a hardwired maximal string length, where "unnecessary" could turn out to be "rarely almost required". Still only "JFTR", if you are sure that this is precisely as you want it stick to it. The more spectacular examples with "syntactically valid ASCII art consisting of commas" will be obsoleted by <obs-fold>, while <obs-FWS> alone only tackles the dangerous "apparently empty" lines -- but IIRC RFC 5322 also did something else about ASCII art. >> I wonder why you don't demote HTAB generally to "obsolete" >> in OWS. > We already state that a single SP is preferred. Two SHOULDs in the prose before the syntax. If you move HTAB to obs-fold = HTAB / ( CRLF (HTAB / SP)) and then rename this to <obs-wsp> it would more closely match the prose, "whatever you do with one or even more than one SP, stay away from HTAB and CRLF". > That said, I'd also agree with Julian's suggestion that it > is better to just define the field-value in ABNF and leave > the rest to HTTP. Yes, the Origin I-D shouldn't define any <OWS> if that is not guaranteed to be precisely the same as in the future HTTPbis. -Frank
- [websec] Last Call: <draft-ietf-websec-origin-04.… The IESG
- Re: [websec] Last Call: <draft-ietf-websec-origin… Julian Reschke
- Re: [websec] Last Call: <draft-ietf-websec-origin… Adam Barth
- Re: [websec] Last Call: <draft-ietf-websec-origin… Julian Reschke
- Re: [websec] Last Call: <draft-ietf-websec-origin… Roy T. Fielding
- Re: [websec] Last Call: <draft-ietf-websec-origin… Roy T. Fielding
- Re: [websec] Last Call: <draft-ietf-websec-origin… Frank Ellermann
- Re: [websec] Last Call: <draft-ietf-websec-origin… Frank Ellermann
- Re: [websec] Last Call: <draft-ietf-websec-origin… Adam Barth
- Re: [websec] Last Call: <draft-ietf-websec-origin… Adam Barth
- Re: [websec] Last Call: <draft-ietf-websec-origin… Julian Reschke