W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP Directive Proposal: Sandbox

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 22 Feb 2011 11:08:29 -0500
Message-ID: <4D63DF7D.4000807@mit.edu>
To: gaz Heyes <gazheyes@gmail.com>
CC: Adam Barth <w3c@adambarth.com>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On 2/22/11 4:41 AM, gaz Heyes wrote:
> Maybe it's me but I looked and couldn't find how "globally unique
> identifier" is generated.

It's unspecified, but that's ok because it's not ever exposed anywhere 
where you could examine it.  So as long as it's actually globally 
unique, there is no problem.

Gecko basically uses UUIDs here, sort of (caveat below).

>     The unique origin does not use the about scheme.
>
> What does it use?

In the case of Gecko, it uses a separate implementation of the origin 
interface, which always tests not equal to anything else (and has some 
other restrictions on it in terms of what it can do).

In particular, this means that an origin compare for the unique origins 
is a _pointer_ compare.  So the origin is actually the object identity 
of the origin object for unique origins.

> I'm interested in ways to get the unique origin  and the regenerate it

There shouldn't be any.  If you can do that, that's a bug.

-Boris
Received on Tuesday, 22 February 2011 16:09:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 22 February 2011 16:09:07 GMT