IETF Logo Mail Archive

Re: [websec] Last Call: <draft-ietf-websec-origin-04.txt> (The Web Origin Concept) to Proposed Standard

Adam Barth <ietf@adambarth.com> Sat, 03 September 2011 19:11 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 551AF21F8A4F; Sat, 3 Sep 2011 12:11:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.163
X-Spam-Level:
X-Spam-Status: No, score=-3.163 tagged_above=-999 required=5 tests=[AWL=-0.186, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZ8MeIS4-z8i; Sat, 3 Sep 2011 12:11:57 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id EF00121F8A4D; Sat, 3 Sep 2011 12:11:55 -0700 (PDT)
Received: by iakc1 with SMTP id c1so5510747iak.31 for <multiple recipients>; Sat, 03 Sep 2011 12:13:35 -0700 (PDT)
Received: by 10.42.244.134 with SMTP id lq6mr2264370icb.228.1315077213645; Sat, 03 Sep 2011 12:13:33 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id df21sm5202269ibb.9.2011.09.03.12.13.31 (version=SSLv3 cipher=OTHER); Sat, 03 Sep 2011 12:13:32 -0700 (PDT)
Received: by iakc1 with SMTP id c1so5510702iak.31 for <multiple recipients>; Sat, 03 Sep 2011 12:13:31 -0700 (PDT)
Received: by 10.231.63.136 with SMTP id b8mr4488765ibi.43.1315077211107; Sat, 03 Sep 2011 12:13:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.199.137 with HTTP; Sat, 3 Sep 2011 12:13:01 -0700 (PDT)
In-Reply-To: <712C43CF-5F59-4F3D-B88F-11B3CEE52591@gbiv.com>
References: <20110823211953.14482.9265.idtracker@ietfa.amsl.com> <712C43CF-5F59-4F3D-B88F-11B3CEE52591@gbiv.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 03 Sep 2011 12:13:01 -0700
Message-ID: <CAJE5ia98xTu3k1n1cNAzxsTVWKfba4J8bQjKL0=OF1Az5fWjBw@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: websec <websec@ietf.org>, ietf@ietf.org
Subject: Re: [websec] Last Call: <draft-ietf-websec-origin-04.txt> (The Web Origin Concept) to Proposed Standard
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Sep 2011 19:11:58 -0000

On Fri, Sep 2, 2011 at 12:38 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> On Aug 23, 2011, at 2:19 PM, The IESG wrote:
>> The IESG has received a request from the Web Security WG (websec) to
>> consider the following document:
>> - 'The Web Origin Concept'
>>  <draft-ietf-websec-origin-04.txt> as a Proposed Standard
>
> Sec 2.2: the definition of OWS includes a mistake that I just fixed in httpbis.
>
>   OWS            = *( [ obs-fold ] WSP )
>                    ; "optional" whitespace
>   obs-fold       = CRLF
>
> should be
>
>   OWS            = *( HTAB / SP / obs-fold )
>                    ; "optional" whitespace
>   obs-fold       = CRLF ( HTAB / SP )
>                    ; obsolete line folding
>
> The problem isn't in OWS itself -- the above are equivalent.
> It is the definition of obs-fold that is wrong because it stands
> for the obsolete line folding allowed by RFC2616 (RFC822, etc.).
> A CRLF alone is not an obs-fold, so optimizing the ABNF in that
> way was wrong in httpbis.  Likewise, I recommend replacing WSP with
> its equivalent ( HTAB / SP ) because the name is misleading and
> is only used in this one section.

This text is intended to match the text from HTTPbis.  The most
recently published HTTPbis documents still contain the old
construction:

http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-16#section-1.2.2

Is there some way to see the as-yet-unpublished version with the
updated text so I can make sure to get it exactly right?

> OTOH, perhaps a simpler change is in order.  The above definitions
> are only used once in the document (Section 7.1).  Furthermore,
> since we are defining a new header field (and not all header fields),
> we can be more proscriptive in 7.1 and remove the section above.
>
> In 7.1, instead of
>
>   origin              = "Origin:" OWS origin-list-or-null OWS
>
> define it as
>
>   origin              = "Origin:" [ SP ] origin-list-or-null
>
> and then most of 2.2 can be removed.

Is there some advantage in doing that?  It seems better to define this
header in the same way we define all the other headers.  If we do
something different here, we run the risk of confusing folks into
thinking that it requires some sort of different generation or parsing
than everything else.

> Sec 8: typo:  s/those model /those models /

Fixed.

> Otherwise, the spec looks good.

Thanks!

Adam

v2.23.0 | Report a Bug | By Email