14392 2011-10-05 19:05:01 +0000 Remove locked same-origin policy from HTML5 spec 2011-10-21 22:24:16 +0000 1 1 1 Unclassified HTML WG HTML5 spec unspecified Other other RESOLVED FIXED http://www.whatwg.org/specs/web-apps/current-work/#origin-0 P3 normal --- 1 contributor ian ian mike public-html-admin public-html-wg-issue-tracking w3c w3c public-html-bugzilla oldest_to_newest 57858 0 contributor 2011-10-05 19:05:01 +0000 Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html Multipage: http://www.whatwg.org/C#origin-0 Complete: http://www.whatwg.org/c#origin-0 Comment: This is not an effective way to isolate documents if they import script via relative URLs or have forms that submit to relative URLs, so it seems dangerous to include in the HTML5 spec. See http://w2spconf.com/2008/papers/s2p1.pdf Posted from: 209.129.244.250 User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.6 (KHTML, like Gecko) Chrome/16.0.899.0 Safari/535.6 57862 1 w3c 2011-10-05 19:48:48 +0000 The specific text is: In addition, if the URL is in fact associated with a Document object that was created by parsing the resource obtained from fetching URL, and this was done over a secure connection, then the server's secure certificate may be added to the origin as additional data. This "locked same-origin policy" was originally proposed in by Karlof et al in "Dynamic pharming attacks and locked same-origin policies for web browsers" (CCS 2007). However, locked SOP is not an effective way to isolate documents if they import script via relative URLs or have forms that submit to relative URLs. See http://w2spconf.com/2008/papers/s2p1.pdf Because it's so hard to use securely, it seems dangerous to include in the HTML5 spec. 57863 2 w3c 2011-10-05 19:52:00 +0000 This section should really just point to http://tools.ietf.org/html/draft-ietf-websec-origin for most of this stuff. That draft was recently approved by the IESG and should be assigned an RFC number somewhat soon (in IETF timescales). 58663 3 ian 2011-10-21 22:23:54 +0000 EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Accepted Change Description: see diff given below Rationale: Concurred with reporter's comments. 58664 4 contributor 2011-10-21 22:24:16 +0000 Checked in as WHATWG revision r6728. Check-in comment: Defer to the origin spec for URL origin. http://html5.org/tools/web-apps-tracker?from=6727&to=6728