W3C home > Mailing lists > Public > public-html@w3.org > September 2008

Re: Question about origin serialization

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 29 Sep 2008 11:34:35 -0400
Message-ID: <48E0F58B.2000808@mit.edu>
To: Maciej Stachowiak <mjs@apple.com>
CC: Adam Barth <w3c@adambarth.com>, HTML WG <public-html@w3.org>

Maciej Stachowiak wrote:
> In WebKit at least, that's not the case. If one site has an origin of 
> <http://example.com/> and another has an origin of 
> <http://subdomain.example.com/>, and the latter sets document.domain to 
> example.com, then no access will be allowed either way

Sure.  The origin compare only comes into play if both set .domain, of 
course; otherwise there's no point in comparing the origins.

> Thus, we track whether document.domain has been set explicitly as an 
> additional flag in our representation of a security origin.

Yeah.  Gecko has two origin URIs, one of which might be null if domain 
wasn't set, but it amounts to the same thing.

-Boris
Received on Monday, 29 September 2008 15:35:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:23 GMT