ietf
[Top] [All Lists]

Re: [websec] Last Call: <draft-ietf-websec-origin-04.txt> (The Web Origin Concept) to Proposed Standard

2011-09-02 14:39:10
On Aug 23, 2011, at 2:19 PM, The IESG wrote:

The IESG has received a request from the Web Security WG (websec) to
consider the following document:
- 'The Web Origin Concept'
 <draft-ietf-websec-origin-04.txt> as a Proposed Standard

Sec 2.2: the definition of OWS includes a mistake that I just fixed in httpbis.

   OWS            = *( [ obs-fold ] WSP )
                    ; "optional" whitespace
   obs-fold       = CRLF

should be

   OWS            = *( HTAB / SP / obs-fold )
                    ; "optional" whitespace
   obs-fold       = CRLF ( HTAB / SP )
                    ; obsolete line folding

The problem isn't in OWS itself -- the above are equivalent.
It is the definition of obs-fold that is wrong because it stands
for the obsolete line folding allowed by RFC2616 (RFC822, etc.).
A CRLF alone is not an obs-fold, so optimizing the ABNF in that
way was wrong in httpbis.  Likewise, I recommend replacing WSP with
its equivalent ( HTAB / SP ) because the name is misleading and
is only used in this one section.

OTOH, perhaps a simpler change is in order.  The above definitions
are only used once in the document (Section 7.1).  Furthermore,
since we are defining a new header field (and not all header fields),
we can be more proscriptive in 7.1 and remove the section above.

In 7.1, instead of

   origin              = "Origin:" OWS origin-list-or-null OWS

define it as

   origin              = "Origin:" [ SP ] origin-list-or-null

and then most of 2.2 can be removed.


Sec 8: typo:  s/those model /those models /


Otherwise, the spec looks good.


Cheers,

Roy T. Fielding                     <http://roy.gbiv.com/>
Principal Scientist, Adobe Systems  <http://adobe.com/enterprise>


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf