On Fri, May 27, 2011 at 10:24 PM, Mark Nottingham <[email protected]> wrote: > A bit late to the party, but FWIW I like this document.
Thanks. Not too late. I've got the doc open in my editor as we speak. :) > It brings two questions to mind, however: > > * Currently, HTTPbis ticket 270 [1] moves the details of the Upgrade process > in HTTP to p2-semantics [2], which "updates" (not obsoletes) RFC2817 [3], the > definition of how to upgrade to TLS within HTTP/1.1 (i.e., without changing > the scheme). I'm wondering if a stronger statement needs to be made; e.g., > obsoleting 2817, or marking it historic. It may also be worth mentioning in > your draft as a bad practice. Yeah, it's probably not intuitive why this causes security problems. > * It doesn't mention CORS [4], which is a *much* more fine-grained (and as > I've said many times, undesirably chatty) definition of a trust domain. > Shouldn't there be some guidance the relationship between these different > concepts, when it's appropriate ot use them, etc? There's a whole topic of controlled interaction between principals (e.g., CORS, postMessage). That's certainly important stuff, but I'm not clear to me how to says something helpful about it compactly. In some sense, it's "a layer above" in that it builds on top of these concepts. I'll find a way to add something in the network access section about opting into more sharing (e.g., CORS). Thanks! Adam > 1. <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/240> > 2. <http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-14> > 3. <http://www.ietf.org/rfc/rfc2817.txt> > 4. <http://www.w3.org/TR/cors/> > > > On 22/02/2011, at 9:10 AM, Adam Barth wrote: > >> Pursuant to the charter, I've posted an informational draft that >> "describes the same-origin security model overall:" >> >> http://www.ietf.org/id/draft-abarth-principles-of-origin-00.txt >> >> I don't expect this document to be very controversial. I'm sure folks >> will nitpick me over renaming URL to URI and MIME types to media >> types, however. :) >> >> Feedback welcome. >> >> Adam >> _______________________________________________ >> websec mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/websec > > -- > Mark Nottingham http://www.mnot.net/ > > > > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
