[whatwg] The origin of pages on the local file system
Ian Hickson
ian at hixie.ch
Wed Apr 30 13:51:37 PDT 2008
On Wed, 30 Apr 2008, Jeff Walden wrote:
>
> It was brought up during the latest postMessage patching in Mozilla that
> the HTML5-mandated origin for file: URIs groups all local file system
> pages into a single origin. Pages are increasingly being used in
> application-like contexts, and if Java is any example, grouping all
> files into the same origin will eventually be problematic (if one even
> chooses to argue it isn't now). (Firefox 3's postMessage will be
> intentionally non-conforming with respect to file: pages in that sending
> a message to a file: page will only work if you use "*" as the
> targetOrigin, in the interests of not having different security
> behaviors.)
>
> Firefox 3 changes from an all-files-are-same-origin model to a
> contains-based model, roughly this in at least some cases: a file may
> load any file which is a sibling of it, and it may load any file which
> is a descendant of the file's parent directory. I'm certain I'm
> horribly mangling what actually happens in practice in at least some
> situations, based on what I've read of the security comparison
> functions, but this is at least a start at describing the behavior for
> specification. The original bug was
> <https://bugzilla.mozilla.org/show_bug.cgi?id=230606>, but follow
> dependencies and read comments to see what sort of issues were actually
> encountered in practice and couldn't be ignored without breaking wide
> swathes of content.
I've changed the spec to allow arbitrary behaviour for file://.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list