ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: <draft-ietf-websec-origin-04.txt> (The Web Origin Concept) to Proposed Standard

2011-08-24 12:38:20
from [Frank Ellermann] [Permanent Link] 
Hi, a clear definition of "same origin" on standards track is a good thing.
Maybe some details could be improved:

1 - <OWS>, maybe I miss the point, but that is apparently the same as LWSP
    with an additional SHOULD to produce only a single SP.  If that is the
    case just saying LWSP would be clearer.  Caveat, the similar <OWS> in
    I-D.ietf-httpbis-p1-messaging-15 does not yet/more say that TAB is bad.
    If you insist on it please replace WSP by SP, and add HT to <obs-fold>.

2 - GUID, if this is supposed to be an UUID as described in RFC 4122 please
    say so.  Otherwise say *what* it is.  Reading section 4 I was sure that
    it talks about a "name-based UUID" (RFC 4122 section 4.3 for the URL
    namespace in appendix C of RFC 4122), a.k.a. UUID version 3 or 5.

    But later section 5 bullet 3 apparently expects UUID version 1 based
    on timestamps, and not some kind of "URI equality" as in version 3/5.

3 - i18n, the Unicode serialization is defined, but apparently not used.
    Is the draft actually designed for IRIs instead of URIs?  There is a
    "MUST support IDNA2003, if IDNA2008 is unsupported" in the i18n part:
    I don't get why if only URIs are affected.

    I think you want IRIs, and that's why you reference IDNA, please add
    a reference to RFC 3987 and use the correct term if that is the case.
    If you really only want URIs you could get rid of the unused Unicode
    serialization and the IDNA mustard.

4 - null
    For the Origin: HTTP header field the important serialization is in
    both cases ASCII, please swap sections 6.1 and 6.2, and limit the
    Unicode section to step 4.  Steps 1..3 and 5..6 are identical, and
    just saying "null" in the same style as "://" would be clearer than
    talking about U+006E, U+0075, U+006C, U+006C in the ASCII section.

    If what you really want is a case-sensitive lower-case string "null"
    the ABNF notation for both serializations should be %x6E.75.6C.6C or
    similar.

5 - www, obviously you decided that there will be no exception for www.
    Maybe note why in the FAQ (section 3.2).  I can't say that I like
    the concept "different port or different scheme is never the same
    origin", but at least it is clear, and automatically covers https:.

-Frank
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: Last Call: <draft-ietf-websec-origin-04.txt> (The Web Origin Concept) to Proposed Standard, Frank Ellermann <=
Previous by Date:  Re: Hyatt Taipei cancellation policy?, Keith Moore
Next by Date:  Re: IAOC, travel and hotel prices (was RE: Hyatt Taipei cancellation policy?), SM
Previous by Thread:  Discussing a DISCUSS - down-refs in draft-ietf-yam-rfc4409bis-02, SM
Next by Thread:  Questionnaire to survey opinion concerning a possible redefinition of UTC, Stephane Bortzmeyer
Indexes:  [Date] [Thread] [Top] [All Lists]