* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Ticket #322 (closed design: wontfix)

Opened 3 years ago

Last modified 2 years ago

Origin

Reported by: mnot@pobox.com Owned by: julian.reschke@gmx.de
Priority: normal Milestone: unassigned
Component: non-specific Severity: Active WG Document
Keywords: Cc:
Origin:

Description

The WEBSEC WG has published the Origin draft; there may be a few places we could/should consider referencing its terminology (to help reduce impedance mismatch in different parts of the Web arch).

Change History

comment:1 Changed 3 years ago by mnot@pobox.com

  • Owner set to mnot@pobox.com

comment:2 Changed 3 years ago by mnot@pobox.com

Candidates:

  • p7 2.2 defines: "A protection space is defined by the canonical root URI (the scheme and authority components of the effective request URI; see Section 4.3 of [Part1]) of the server being accessed, in combination with the realm value if present.
  • p6 2.5: "However, a cache MUST NOT invalidate a URI from a Location or Content-Location header field if the host part of that URI differs from the host part in the effective request URI (Section 4.3 of [Part1]). This helps prevent denial of service attacks."
  • It may also be worth mentioning in p1 2.1 Client/Server? Messaging (where "server" is defined).

comment:3 Changed 3 years ago by mnot@pobox.com

Proposal for p7 2.2:

"""A protection space is defined by the origin [ref to origin rfc], combined with the realm value (if present)."""

Proposal for p6 2.5:

"""However, a cache MUST NOT invalidate a URI from a Location or Content-Location header field if that URI does not have the same origin as that of the effective request URI (section 4.3 of [Part1]), as specified in [ref to origin rfc]."""

comment:4 Changed 3 years ago by julian.reschke@gmx.de

  • Owner changed from mnot@pobox.com to julian.reschke@gmx.de
  • Status changed from new to assigned

comment:5 Changed 3 years ago by dan.winship@gmail.com

maybe also p1 2.7.2:

Resources made available via the "https" scheme have no shared identity with the "http" scheme even if their resource identifiers indicate the same authority (the same host listening to the same TCP port). They are distinct name spaces and are considered to be distinct origin servers.

comment:6 Changed 3 years ago by mnot@pobox.com

  • Milestone changed from unassigned to 19

comment:7 Changed 3 years ago by julian.reschke@gmx.de

  • Milestone changed from 19 to unassigned

comment:8 Changed 2 years ago by mnot@pobox.com

  • Status changed from assigned to closed
  • Resolution set to wontfix

Discussed in Paris; Origin is specific to a browser's view of the world, and the utility of referring to it is doubtful. Suggestion was to close with no action; confirmed on list.

Note: See TracTickets for help on using tickets.