On Fri, May 27, 2011 at 10:24 PM, Mark Nottingham <[email protected]> wrote: > A bit late to the party, but FWIW I like this document.
Thanks. > It brings two questions to mind, however: > > * Currently, HTTPbis ticket 270 [1] moves the details of the Upgrade process > in HTTP to p2-semantics [2], which "updates" (not obsoletes) RFC2817 [3], the > definition of how to upgrade to TLS within HTTP/1.1 (i.e., without changing > the scheme). I'm wondering if a stronger statement needs to be made; e.g., > obsoleting 2817, or marking it historic. It may also be worth mentioning in > your draft as a bad practice. This was actually already in the document somewhat obliquely, but I've made it less oblique by adding a reference to RFC 2817. In some sense, it's not really RFC 2817's fault because if that had become popular, then the rest of the security model would have evolved in a different way. > * It doesn't mention CORS [4], which is a *much* more fine-grained (and as > I've said many times, undesirably chatty) definition of a trust domain. > Shouldn't there be some guidance the relationship between these different > concepts, when it's appropriate to use them, etc? I've added a reference to CORS. I don't want to go into too much detail, but explaining that servers can opt into sharing their content more widely seems valuable. Thanks! Adam > 1. <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/240> > 2. <http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-14> > 3. <http://www.ietf.org/rfc/rfc2817.txt> > 4. <http://www.w3.org/TR/cors/> > > > On 22/02/2011, at 9:10 AM, Adam Barth wrote: > >> Pursuant to the charter, I've posted an informational draft that >> "describes the same-origin security model overall:" >> >> http://www.ietf.org/id/draft-abarth-principles-of-origin-00.txt >> >> I don't expect this document to be very controversial. I'm sure folks >> will nitpick me over renaming URL to URI and MIME types to media >> types, however. :) >> >> Feedback welcome. >> >> Adam >> _______________________________________________ >> websec mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/websec > > -- > Mark Nottingham http://www.mnot.net/ > > > > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
