W3C home > Mailing lists > Public > public-html@w3.org > September 2008

Re: Question about origin serialization

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 29 Sep 2008 11:34:35 -0400
Message-ID: <48E0F58B.2000808@mit.edu>
To: Maciej Stachowiak <mjs@apple.com>
CC: Adam Barth <w3c@adambarth.com>, HTML WG <public-html@w3.org>

Maciej Stachowiak wrote:
> In WebKit at least, that's not the case. If one site has an origin of 
> <http://example.com/> and another has an origin of 
> <http://subdomain.example.com/>, and the latter sets document.domain to 
> example.com, then no access will be allowed either way

Sure.  The origin compare only comes into play if both set .domain, of 
course; otherwise there's no point in comparing the origins.

> Thus, we track whether document.domain has been set explicitly as an 
> additional flag in our representation of a security origin.

Yeah.  Gecko has two origin URIs, one of which might be null if domain 
wasn't set, but it amounts to the same thing.

Received on Monday, 29 September 2008 15:35:24 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:25:23 UTC