W3C home > Mailing lists > Public > public-html@w3.org > September 2008

Re: Question about origin serialization

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 26 Sep 2008 20:40:43 -0400
Message-ID: <48DD810B.8070000@mit.edu>
To: Ian Hickson <ian@hixie.ch>
CC: HTML WG <public-html@w3.org>

Ian Hickson wrote:
> Wouldn't the "null" value that has to be passed in such cases be enough to 
> detect those cases?

Possibly.  I'll be honest; what largely prompted this is that people 
started trying to add all sorts of just-slightly-different origin 
stringification methods to Gecko code, and any time I see that sort of 
thing happening with security code it gives me the "someone will change 
one of these functions and forget to change others" willies.

Which is why ideally there would only be one function involved, 
period....  That's hard enough already with the Unicode vs ASCII thing 
in the spec, but all the _different_ special-casing of the non-host case 
makes it a lot worse.

> I agree that would be a possible benefit.

Fundamentally, by the way, that's what Access-Control seems to rely on...

> It seems, though I could of course be wrong, that exposing internals is a 
> bigger disadvantage than the benefit gained.

If we care, we could probably even standardize a form for the globally 
unique identifier (say something like "html5-unique-origin:" followed by 
a reasonable GUID serialization).

Received on Saturday, 27 September 2008 00:41:29 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:38 UTC