Today, the IETF published two document: RFC 6454, The Web Origin Concept, and RFC 6455, The WebSocket Protocol. Both these documents started out as sections in the HTML5 specification, which has been a hotbed of standards activity over the past few years, but they took somewhat different paths through the standards process.
RFC 6454's path through the IETF process was mostly smooth sailing. The document defines the same-origin policy, which is widely implemented and fairly cut-and-dried. In addition to the comparison and serialization algorithms we inherited from the WHATWG, the websec working group added a definition of the Origin HTTP header, which is used by CORS, and a broad description of the principles behind the same-origin policy.
RFC 6455's path was less smooth. The protocol underwent several major revisions in the WHATWG, before reaching the IETF. The protocol was fairly mature by the time it reached the hybi working group and was implemented in WebKit and Firefox. Unfortunately, some details of the protocol offended HTTP purists, who wanted the protocol handshake to comply with HTTP. The working group polished up these details, leading to churn in the protocol.
Around this time, some colleagues and I were studying the interaction between DNS rebinding and transparent proxies. It occurred to us that folks had analyzed the end-to-end security properties of WebSockets but less effort had been expended analyzing the interaction between WebSockets and transparent proxies. We studied these issues and found an interesting vulnerability. We presented our findings to the working group, which updated the protocol to fix issue.
One perspective on these events is that they are a success. We found and fixed a protocol-level vulnerability before the protocol was deployed widely. Another perspective is that we annoyed early adopters polishing unimportant protocol details. My view is that this debate boils down to whether you really believe that worse is better. For my part, I believe we had a net positive impact, but I hope we can be less disruptive to early adopters when we improve security in the future.