W3C home > Mailing lists > Public > public-html@w3.org > September 2008

Re: Question about origin serialization

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sun, 28 Sep 2008 22:57:26 -0400
Message-ID: <48E04416.2030002@mit.edu>
To: Anne van Kesteren <annevk@opera.com>
CC: HTML WG <public-html@w3.org>

Anne van Kesteren wrote:
> Actually, per a recent update it will be the empty string. (It 
> references the ASCII origin string from HTML5.)

OK.  That helps a good bit.

> This still allows you to differentiate between legacy and modern clients 
> though, as legacy clients won't include the header.

Good catch.

> Why do you need a string serialization for those cases? I don't think 
> you do.

In practice, we (Gecko) must be able to produce a string serialization 
of all origins, because the Java security model relies on it.  (Yes, I 
know I should have mentioned this before; I just did a search for places 
where we actually stringify origins).

I strongly suspect that returning an empty origin to Java would cause 
security bugs, so we need to continue returning nonempty globally unique 
strings there as needed.  I'd love to have proof that this suspicion is 
wrong.

The only remaining question is whether Java will see the same origins as 
everything else; from a security standpoint this would be optimal, of 
course.

-Boris
Received on Monday, 29 September 2008 03:08:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:23 GMT