The Web Origin Concept
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: IETF-Announce <email@example.com> Cc: RFC Editor <firstname.lastname@example.org>, websec mailing list <email@example.com>, websec chair <firstname.lastname@example.org> Subject: Protocol Action: 'The Web Origin Concept' to Proposed Standard (draft-ietf-websec-origin-06.txt) The IESG has approved the following document: - 'The Web Origin Concept' (draft-ietf-websec-origin-06.txt) as a Proposed Standard This document is the product of the Web Security Working Group. The IESG contact persons are Peter Saint-Andre and Pete Resnick. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-websec-origin/
Technical Summary This document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document defines how to determine the origin of a URI, how to serialize an origin into a string, and an HTTP header, named "Origin", that indicates which origins are associated with an HTTP request. Working Group Summary There was nothing particularly worth noting about the WG process. Specifically there was no strong controversy about this document. The document received sufficient review from WG participants and individuals outside the WG. Furthermore, reviews also covered document versions before their adoption by the WG or even prior to the formation of the WebSec WG (i.e., draft-abarth-origin and draft-abarth-principles-of-origin). Document Quality The origin concept is widely used in the web browser and application environment to determine trusted sources. Still it may be noteworthy that some current implementations of the origin concept may differ in whether all three elements of the origin-tuple must be identical to constitute identity of origin (in some current browser implementations the scheme or port might receive less weight). The text regarding comparison of internationalized domain names benefited from extensive discussion with Patrik Faltstrom, Jeff Hodges, John Klensin, and Pete Resnick.