Skip to main content

The Web Origin Concept
RFC 6454

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: RFC Editor <>,
    websec mailing list <>,
    websec chair <>
Subject: Protocol Action: 'The Web Origin Concept' to Proposed Standard (draft-ietf-websec-origin-06.txt)

The IESG has approved the following document:
- 'The Web Origin Concept'
  (draft-ietf-websec-origin-06.txt) as a Proposed Standard

This document is the product of the Web Security Working Group.

The IESG contact persons are Peter Saint-Andre and Pete Resnick.

A URL of this Internet Draft is:

Ballot Text

   Technical Summary

      This document defines the concept of an "origin", which is often
      used as the scope of authority or privilege by user agents.  Typically,
      user agents isolate content retrieved from different origins to
      prevent malicious web site operators from interfering with the
      operation of benign web sites.  In addition to outlining the
      principles that underlie the concept of origin, this document defines
      how to determine the origin of a URI, how to serialize an origin into
      a string, and an HTTP header, named "Origin", that indicates which
      origins are associated with an HTTP request.

   Working Group Summary

      There was nothing particularly worth noting about the WG process.
      Specifically there was no strong controversy about this document.
      The document received sufficient review from WG participants and 
      individuals outside the WG.  Furthermore, reviews also covered 
      document versions before their adoption by the WG or even prior to 
      the formation of the WebSec WG (i.e., draft-abarth-origin and 

   Document Quality

      The origin concept is widely used in the web browser and application
      environment to determine trusted sources.  Still it may be noteworthy
      that some current implementations of the origin concept may differ
      in whether all three elements of the origin-tuple must be identical
      to constitute identity of origin (in some current browser
      implementations the scheme or port might receive less weight).

      The text regarding comparison of internationalized domain names
      benefited from extensive discussion with Patrik Faltstrom, Jeff Hodges,
      John Klensin, and Pete Resnick.

RFC Editor Note