On 13 Jul 2010, at 22:54, Peter Saint-Andre wrote: > On 7/13/10 3:26 PM, Iljitsch van Beijnum wrote: >> On 13 jul 2010, at 18:49, Peter Saint-Andre wrote: >> >>> fun technologies like AJAX but also opens up the possibility for >>> new attacks (cross-site scripting, cross-site request forgery, >>> malvertising, clickjacking, and all the rest). >> >> Isn't this W3C stuff? > > Good question. We've had discussions about that with folks from the W3C > and there's broad agreement that we'll divide up the work by having the > IETF focus on topics that are more closely related to HTTP (e.g., new > headers) and by having the W3C focus on topics that are more closely > related to HTML and web browsers (e.g., Mozilla's Content Security > Policy and the W3C's "Web Security Context: User Interface Guidelines" > document). > But the exact dividing line for that division of labor is a good issue > for discussion at the HASMAT BoF. +1 to that. There are pieces to this area of work (e.g., JeffH's proposed Simple Transport Security) that mostly relate to IETF protocols. There are pieces (like CORS and UMP, aka "cross-site XMLHttpRequest") that are currently at W3C, are on the overlap between protocol work and the browser environment, and would benefit from IETF review. There are other pieces to this work (e.g., controlling the security policies within HTML5) that seem essentially in scope for W3C. To me, it indeed sounds like it would be useful to do this sort of work in close coordination between W3C and IETF. Regards, -- Thomas Roessler, W3C <tlr@xxxxxx> (@roessler) _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf