[whatwg] Origins, reprise
Ian Hickson
ian at hixie.ch
Tue Jun 2 02:23:34 PDT 2009
On Fri, 9 Jan 2009, Boris Zbarsky wrote:
>
> I've recently come across another issue with the origin definition.
>
> Right now, this says:
>
> 1) If url does not use a server-based naming authority, or if parsing
> url failed, or if url is not an absolute URL, then return a new
> globally unique identifier.
> 2) Return the tuple (scheme, host, port).
>
> (with some steps to determine the tuple thrown in).
>
> In Gecko, we actually have three classes of URIs for security purposes:
>
> 1) Those for which the URI is not same-origin with anything (the
> globally unique identifier case).
> 2) Those for which the URI is same-origin with anything with the same
> scheme+host+port.
> 3) Those for which the URI is same-origin with itself but no other URI
> (not to be confused with the globally unique identifier case).
>
> It would be nice if we could express this in terms of the origin setup, but it
> doesn't seem to me like that's workable as things stand...
On Fri, 9 Jan 2009, Adam Barth wrote:
>
> Can you give an example of this kind of URI?
On Fri, 9 Jan 2009, Boris Zbarsky wrote:
>
> Yes, of course. IMAP URIs [1] have an authority component which is the
> IMAP server. At the same time, each message needs to be treated as a
> separate trust domain.
>
> Similar for the proposed nntp URIs [2].
>
> [1] http://www.rfc-editor.org/rfc/rfc5092.txt
> [2] http://tools.ietf.org/html/draft-ellermann-news-nntp-uri-11
I've updated the algorithm for deriving an Origin from a URL in the HTML5
spec to handle this case.
Adam: I believe that you are editing a draft that also has this algorithm;
hat parts of HTML5 should I be stripping here? Will this particular
algorithm belong in your draft or HTML5? (If the former, can you take this
change also?)
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list