[whatwg] A document's cookie context
ian at hixie.ch
Wed Nov 26 18:19:18 PST 2008
On Fri, 13 Jun 2008, Adam Barth wrote:
> The current draft of the spec doesn't specify how to compute the cookie
> context for a document. Here is how to compute it:
> A document's cookie context can be represented as a URI and largely (but
> not exactly) follows the document's origin.
> 1) If the document does not have a browsing context (e.g., it was
> retrieved via XMLHttpRequest or created using createDocument) then it's
> cookie context is "" or about:blank (or whatever you prefer for "I don't
> have a cookie context").
> 2) If the document was served over the network and has an address that
> uses a URI scheme with a server-based naming authority, then the
> document's cookie context is that URI.
I've specced the above, including the handling of document.open().
> 3) If the document has the URI about:blank or "", then, like the origin,
> the document's cooke context is the cookie context of the parent
> browsing context (if it has a parent) or the cookie context of the
> opener browsing context (if it has an opener but no parent). Failing
> that, the document's cookie context is about:blank or "" (or whatever
> you prefer for "I don't have a cookie context").
I wasn't able to reproduce this. In particular, I couldn't work out what
browsers were doing for the case of setting cookies on an about:blank
frame. It wasn't reflecting the cookies on the parent browsing context.
I've made the spec say that for these cases (specifically, when the
document URI doesn't have a server-based naming authority) that .cookie
always returns "". If this isn't implementable, it would be helpful to
have test cases demonstrating what exactly it should specify.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg