From 6981fc020181bdff8d73473345b7e61bbb48e88b Mon Sep 17 00:00:00 2001
From: Dan Lazin <dlazin@users.noreply.github.com>
Date: Fri, 25 Feb 2022 17:35:54 -0500
Subject: [PATCH 1/2] Add paragraph about origin-specific headers being hard to
 use in EPUB

---
 epub33/core/index.html | 6 ++++++
 epub33/rs/index.html   | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/epub33/core/index.html b/epub33/core/index.html
index 88fcaf17f..a7b2d2732 100644
--- a/epub33/core/index.html
+++ b/epub33/core/index.html
@@ -8818,6 +8818,12 @@ <h3>Threat Model</h3>
 						<p>Checking for malware and exploits at distribution time is not always reliable, either, as the
 							malicious content can be swapped in any time after publication, unlike resources that come
 							embedded in the EPUB Container.</p>
+						<p>The <a href="#sec-container-iri">origin</a> of an EPUB is both opaque and inconsistent between
+							Reading Systems. Consequently, if the EPUB Creator hosts remote resources on a web server they
+							control, the server effectively cannot use security features that require specifying allowable
+							origins, such as headers for <a href="https://fetch.spec.whatwg.org/#cors-protocol">CORS</a>,
+							<a href="https://www.w3.org/TR/CSP2/#content-security-policy-header-field"><code>Content-Security-Policy</code></a>,
+							or <a href="https://www.rfc-editor.org/rfc/rfc7034"><code>X-Frame-Options</code></a>.</p>
 					</dd>
 
 					<dt>Linking to external resources</dt>
diff --git a/epub33/rs/index.html b/epub33/rs/index.html
index 5ee5a3465..4adf2f09b 100644
--- a/epub33/rs/index.html
+++ b/epub33/rs/index.html
@@ -2156,6 +2156,12 @@ <h3>Threat Model</h3>
 						<p>Calls to remote resources can also be used to track information about users (e.g., through
 							server logs). Reading Systems should limit the information they expose through HTTP requests
 							to only what is essential to obtain the resource.</p>
+						<p>The <a href="#sec-container-iri">origin</a> of an EPUB is both opaque and inconsistent between
+							Reading Systems. Consequently, if the EPUB Creator hosts remote resources on a web server they
+							control, the server effectively cannot use security features that require specifying allowable
+							origins, such as headers for <a href="https://fetch.spec.whatwg.org/#cors-protocol">CORS</a>,
+							<a href="https://www.w3.org/TR/CSP2/#content-security-policy-header-field"><code>Content-Security-Policy</code></a>,
+							or <a href="https://www.rfc-editor.org/rfc/rfc7034"><code>X-Frame-Options</code></a>.</p>
 					</dd>
 
 					<dt>External links</dt>

From 37d730d0fcde526c246a3e3a2fe71354e191ca12 Mon Sep 17 00:00:00 2001
From: Dan Lazin <dlazin@users.noreply.github.com>
Date: Tue, 1 Mar 2022 15:20:19 -0500
Subject: [PATCH 2/2] Adjust language based on Ivan and Matt's comments

---
 epub33/core/index.html | 9 +++++----
 epub33/rs/index.html   | 9 +++++----
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/epub33/core/index.html b/epub33/core/index.html
index a7b2d2732..35aeb9cd8 100644
--- a/epub33/core/index.html
+++ b/epub33/core/index.html
@@ -8818,10 +8818,11 @@ <h3>Threat Model</h3>
 						<p>Checking for malware and exploits at distribution time is not always reliable, either, as the
 							malicious content can be swapped in any time after publication, unlike resources that come
 							embedded in the EPUB Container.</p>
-						<p>The <a href="#sec-container-iri">origin</a> of an EPUB is both opaque and inconsistent between
-							Reading Systems. Consequently, if the EPUB Creator hosts remote resources on a web server they
-							control, the server effectively cannot use security features that require specifying allowable
-							origins, such as headers for <a href="https://fetch.spec.whatwg.org/#cors-protocol">CORS</a>,
+						<p>The <a href="#sec-container-iri">origin</a> of an EPUB is both unknown to the EPUB Creator and
+							specific to each Reading System implementation. Consequently, if the EPUB Creator hosts remote
+							resources on a web server they control, the server effectively cannot use security features that
+							require specifying allowable origins, such as headers for
+							<a href="https://fetch.spec.whatwg.org/#cors-protocol">CORS</a>,
 							<a href="https://www.w3.org/TR/CSP2/#content-security-policy-header-field"><code>Content-Security-Policy</code></a>,
 							or <a href="https://www.rfc-editor.org/rfc/rfc7034"><code>X-Frame-Options</code></a>.</p>
 					</dd>
diff --git a/epub33/rs/index.html b/epub33/rs/index.html
index 4adf2f09b..88dcd9e1c 100644
--- a/epub33/rs/index.html
+++ b/epub33/rs/index.html
@@ -2156,10 +2156,11 @@ <h3>Threat Model</h3>
 						<p>Calls to remote resources can also be used to track information about users (e.g., through
 							server logs). Reading Systems should limit the information they expose through HTTP requests
 							to only what is essential to obtain the resource.</p>
-						<p>The <a href="#sec-container-iri">origin</a> of an EPUB is both opaque and inconsistent between
-							Reading Systems. Consequently, if the EPUB Creator hosts remote resources on a web server they
-							control, the server effectively cannot use security features that require specifying allowable
-							origins, such as headers for <a href="https://fetch.spec.whatwg.org/#cors-protocol">CORS</a>,
+						<p>The <a href="#sec-container-iri">origin</a> of an EPUB is both unknown to the EPUB Creator and
+							specific to each Reading System implementation. Consequently, if the EPUB Creator hosts remote
+							resources on a web server they control, the server effectively cannot use security features that
+							require specifying allowable origins, such as headers for
+							<a href="https://fetch.spec.whatwg.org/#cors-protocol">CORS</a>,
 							<a href="https://www.w3.org/TR/CSP2/#content-security-policy-header-field"><code>Content-Security-Policy</code></a>,
 							or <a href="https://www.rfc-editor.org/rfc/rfc7034"><code>X-Frame-Options</code></a>.</p>
 					</dd>