On 2012-06-08 09:41, Adam Barth wrote:
On Fri, Jun 8, 2012 at 12:31 AM, Anne van Kesteren <ann...@annevk.nl> wrote:
Not sure where http://tools.ietf.org/html/rfc6454 is discussed these
days, but I think we should issue an errata for the list of origins.
In particular, I think we should not have the list of origins concept
in the platform and only accept a single origin or null. The new
syntax would be:
origin = "Origin:" OWS origin-or-null OWS
origin-or-null = %x6E %x75 %x6C %x6C / serialized-origin
It was introduced for CORS, but we decided not to use it there. I
don't think we want it elsewhere either. And leaving things like that
up to choice is bad.
What do you think?
Ok. We added it for CORS to support redirects. If you're not using
it in CORS, I don't know of any other reason for it existing.
I'm not sure how best to handle these issues from a process point of
view. The IETF has an errata process we can try if you like. I'm
open to other suggestions.
If there is agreement that this should change, I recommend submitting an
erratum (<http://www.rfc-editor.org/errata.php#reportnew>).
I would expect that this would be classified as "held for document
update"; so at some point in the future the RFC would need to be revised.
The right place to discuss this BTW is the ietf websec WG
(<http://tools.ietf.org/wg/websec/>).
Best regards, Julian
