Hi I have just submitted this draft. The purpose of this is to address the case where a single portal hides several real servers behind it, by translating their URLs into URL that seem to be from that server.
In that case the same origin policy is not enforced correctly, because cookies and scripts from one server behind the portal (for example, a mail server) can be shared and can affect pages form another server behind the same portal. This draft proposes a header that will tell the client (browser) what the real origin is, and allow the client to apply the SOP. If people find this interesting, I would like to discuss this in Paris. Any comments will be greatly appreciated. Yoav Begin forwarded message: From: "internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>" <internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>> Subject: I-D Action: draft-nir-websec-extended-origin-00.txt Date: February 3, 2012 12:00:21 AM GMT+02:00 To: "i-d-annou...@ietf.org<mailto:i-d-annou...@ietf.org>" <i-d-annou...@ietf.org<mailto:i-d-annou...@ietf.org>> Reply-To: "internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>" <internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>> A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : A More Granular Web Origin Concept Author(s) : Yoav Nir Filename : draft-nir-websec-extended-origin-00.txt Pages : 8 Date : 2012-02-02 This document defines an HTTP header that allows to partition a single origin as defined in RFC 6454 into multiple origins, so that the same origin policy applies among them. The header introduced in this document allows the portal to specify that resources that appear to be from the same origin should, in fact, be treated as though they are from different origins, by extending the 3-tuple of the origin to a 4-tuple. The user agent is expected to apply the same-origin policy according to the 4-tuple rather than the 3-tuple. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-nir-websec-extended-origin-00.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-nir-websec-extended-origin-00.txt
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec