Hi Adam, A bit late to the party, but FWIW I like this document.
It brings two questions to mind, however: * Currently, HTTPbis ticket 270 [1] moves the details of the Upgrade process in HTTP to p2-semantics [2], which "updates" (not obsoletes) RFC2817 [3], the definition of how to upgrade to TLS within HTTP/1.1 (i.e., without changing the scheme). I'm wondering if a stronger statement needs to be made; e.g., obsoleting 2817, or marking it historic. It may also be worth mentioning in your draft as a bad practice. * It doesn't mention CORS [4], which is a *much* more fine-grained (and as I've said many times, undesirably chatty) definition of a trust domain. Shouldn't there be some guidance the relationship between these different concepts, when it's appropriate ot use them, etc? Cheers, 1. <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/240> 2. <http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-14> 3. <http://www.ietf.org/rfc/rfc2817.txt> 4. <http://www.w3.org/TR/cors/> On 22/02/2011, at 9:10 AM, Adam Barth wrote: > Pursuant to the charter, I've posted an informational draft that > "describes the same-origin security model overall:" > > http://www.ietf.org/id/draft-abarth-principles-of-origin-00.txt > > I don't expect this document to be very controversial. I'm sure folks > will nitpick me over renaming URL to URI and MIME types to media > types, however. :) > > Feedback welcome. > > Adam > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec -- Mark Nottingham http://www.mnot.net/ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
