Origin

[mnot@…]

The WEBSEC WG has published the Origin draft; there may be a few places we could/should consider referencing its terminology (to help reduce impedance mismatch in different parts of the Web arch).

[mnot@…]

Candidates:

• p7 2.2 defines: "A protection space is defined by the canonical root URI (the scheme and authority components of the effective request URI; see Section 4.3 of [Part1]) of the server being accessed, in combination with the realm value if present.

• p6 2.5: "However, a cache MUST NOT invalidate a URI from a Location or Content-Location header field if the host part of that URI differs from the host part in the effective request URI (Section 4.3 of [Part1]). This helps prevent denial of service attacks."

• It may also be worth mentioning in p1 2.1 Client/Server? Messaging (where "server" is defined).

[mnot@…]

Proposal for p7 2.2:

"""A protection space is defined by the origin [ref to origin rfc], combined with the realm value (if present)."""

Proposal for p6 2.5:

"""However, a cache MUST NOT invalidate a URI from a Location or Content-Location header field if that URI does not have the same origin as that of the effective request URI (section 4.3 of [Part1]), as specified in [ref to origin rfc]."""

[dan.winship@…]

maybe also p1 2.7.2:

Resources made available via the "https" scheme have no shared identity with the "http" scheme even if their resource identifiers indicate the same authority (the same host listening to the same TCP port). They are distinct name spaces and are considered to be distinct origin servers.

[mnot@…]

Discussed in Paris; Origin is specific to a browser's view of the world, and the utility of referring to it is doubtful. Suggestion was to close with no action; confirmed on list.