On Aug 23, 2011, at 2:19 PM, The IESG wrote:
The IESG has received a request from the Web Security WG (websec) to
consider the following document:
- 'The Web Origin Concept'
<draft-ietf-websec-origin-04.txt> as a Proposed Standard
Sec 2.2: the definition of OWS includes a mistake that I just fixed in httpbis.
OWS = *( [ obs-fold ] WSP )
; "optional" whitespace
obs-fold = CRLF
should be
OWS = *( HTAB / SP / obs-fold )
; "optional" whitespace
obs-fold = CRLF ( HTAB / SP )
; obsolete line folding
The problem isn't in OWS itself -- the above are equivalent.
It is the definition of obs-fold that is wrong because it stands
for the obsolete line folding allowed by RFC2616 (RFC822, etc.).
A CRLF alone is not an obs-fold, so optimizing the ABNF in that
way was wrong in httpbis. Likewise, I recommend replacing WSP with
its equivalent ( HTAB / SP ) because the name is misleading and
is only used in this one section.
OTOH, perhaps a simpler change is in order. The above definitions
are only used once in the document (Section 7.1). Furthermore,
since we are defining a new header field (and not all header fields),
we can be more proscriptive in 7.1 and remove the section above.
In 7.1, instead of
origin = "Origin:" OWS origin-list-or-null OWS
define it as
origin = "Origin:" [ SP ] origin-list-or-null
and then most of 2.2 can be removed.
Sec 8: typo: s/those model /those models /
Otherwise, the spec looks good.
Cheers,
Roy T. Fielding <http://roy.gbiv.com/>
Principal Scientist, Adobe Systems <http://adobe.com/enterprise>
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf