[whatwg] The origin of pages on the local file system

Ian Hickson ian at hixie.ch
Wed Apr 30 13:51:37 PDT 2008

On Wed, 30 Apr 2008, Jeff Walden wrote:
> It was brought up during the latest postMessage patching in Mozilla that 
> the HTML5-mandated origin for file: URIs groups all local file system 
> pages into a single origin.  Pages are increasingly being used in 
> application-like contexts, and if Java is any example, grouping all 
> files into the same origin will eventually be problematic (if one even 
> chooses to argue it isn't now). (Firefox 3's postMessage will be 
> intentionally non-conforming with respect to file: pages in that sending 
> a message to a file: page will only work if you use "*" as the 
> targetOrigin, in the interests of not having different security 
> behaviors.)
> Firefox 3 changes from an all-files-are-same-origin model to a 
> contains-based model, roughly this in at least some cases: a file may 
> load any file which is a sibling of it, and it may load any file which 
> is a descendant of the file's parent directory.  I'm certain I'm 
> horribly mangling what actually happens in practice in at least some 
> situations, based on what I've read of the security comparison 
> functions, but this is at least a start at describing the behavior for 
> specification.  The original bug was 
> <https://bugzilla.mozilla.org/show_bug.cgi?id=230606>, but follow 
> dependencies and read comments to see what sort of issues were actually 
> encountered in practice and couldn't be ignored without breaking wide 
> swathes of content.

I've changed the spec to allow arbitrary behaviour for file://.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list