On 03/12/2008, at 11:32 PM, Ben Laurie wrote:
On Wed, Dec 3, 2008 at 10:38 AM, Mark Nottingham <[EMAIL PROTECTED]>
wrote:
Considering that one of your core use cases for this is security-
related,
I'm surprised that you're effectively arguing that HTTP and HTTPS
URLs with
the same authority be collapsed into one name space.
Many standards and common practices currently sandbox policy and
metadata to
a single URL scheme + authority by default, including robots.txt,
p3p.xml,
cookie scoping,
Surely cookies are scoped to HTTP and HTTPS by default.
It depends on who you talk to; we don't really have a spec for cookies
that reflects reality, and there are subtle differences in the
implementations. RFC2109 says
The user agent keeps separate track of state information that
arrives via Set-Cookie response headers from each origin server (as
distinguished by name or IP address and port).
... but goes on to contradict that later one.
Authentication is a better example.
automated redirection processing in HTTP,
I don't know what this is.
Argh - sorry, confused a proposal discussed recently with specified
behaviour. Never mind.
cache invalidation, OPTIONS metadata, cross-site scripting
There are standards for XSS???
There's a de facto standard in the browsers (same origin), and these
folks are working towards something more formal, maybe;
http://www.w3.org/2006/WSC/
--
Mark Nottingham http://www.mnot.net/
