On Tue, 22 Jun 2010 14:06:23 +0200, Thomas Roessler <[email protected]> wrote:
no news that I'd be aware of.
Anne, can you take a first stab at the security considerations? As I
said earlier, I'm available to review things, but don't have the
bandwidth to do significant writing this week.
I read through the original thread again (several times, I might add) and
I'm still not sure what needs to be written down.
http://lists.w3.org/Archives/Public/public-webapps/2010JanMar/thread.html#msg202
CONNECT, TRACK, and TRACE already have references with detailed
explanations.
DNS rebinding is a generic problem.
setRequestHeader no longer mentions security reasons.
HTTP redirects simply follow the same policy as normal requests.
Origin is also a generic problem. I suspect we'll switch references from
HTML5 to the origin specification in due course.
The SHOULD/MUST confusion has been addressed too.
The original thread concluded with looking for volunteers for certain
aspects and the question as to whether a generic document was needed. I
have attempted to clarify matters somewhat in the specification for
setRequestHeader. Other than that I believe said volunteers have not been
found. A document has not been written either. It has now been almost six
months. We can continue looking I suppose, and we probably should, but at
some point we have to cut our losses and move on.
--
Anne van Kesteren
http://annevankesteren.nl/
