W3C home > Mailing lists > Public > public-webapi@w3.org > August 2007

Re: XHR: definition of same-origin

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 28 Aug 2007 23:51:29 -0700
Cc: "Web API WG (public)" <public-webapi@w3.org>
Message-Id: <4971825E-B5AF-4C59-8B69-A691F9A993CB@apple.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>


On Aug 28, 2007, at 8:25 PM, Bjoern Hoehrmann wrote:

> * Maciej Stachowiak wrote:
>> The XHR spec doesn't define same-origin. We had a webkit bug filed
>> differently where we apparently interpreted same-origin differently
>> than IE or Firefox: <http://bugs.webkit.org/show_bug.cgi?id=15100>
>>
>> In particular, we would not consider https://example.com:443/ to be
>> the same origin as https://example.com/.
>>
>> Since this affects interoperability as well as security I would
>> suggest adding a definition, unless the spec expected to define same-
>> origin is going to happen soon.
>
> That might make sense, but I am unsure how the bug you mention is
> relevant here.

The bug just raised the issue in my mind, since it is one example  
where the comparison is not obvious.

> It seems clear to me that https://example.com:443/
> and https://example.com/ are exactly the same resource identifier,
> just like https://example.COM is the same as https://example.com/.

The requests will be sent with different 'Host' http request headers  
headers. A server configured as a virtual host could easily return  
different content for "example.com:443" and "example.com". So it's not  
immediately obvious that they are the same resource identifier. Indeed  
URIs including different hostnames that resolve to the same IP address  
are definitely NOT the same resource identifier, though once again  
what will differ in what is sent over the wire is the 'Host' header.  
Anyway, it would be good to clarify this somewhere but I now think  
that the XMLHttpRequest spec may not be a workable place.

Also, knowing the default protocol for a scheme is protocol-specific,  
so whether an origin is considered the same would depend on whether  
the UA is natively aware of it. Why might that matter? Consider a URI  
scheme that can be handled only by a plugin and not the UA itself, for  
example rtsp: can be handled by the QuickTime plugin but not directly  
by most web browsers. If we expect a scheme's default port to have no  
effect on same-origin checks, then a UA would have no way to correctly  
implement the check for content where plugin data is considered to be  
the origin. (Fortunately this doesn't normally come up in HTML since  
the page embedding the plugin is considered the origin, but I could  
imagine similar situations.)

> It seems to me that if we add some kind of definition, we would
> not make explicit all the scheme-specific equivalence rules, and
> as such not really clarify the matter for the specific issue you
> mention.

Any definition of a same-origin policy would have to define how to  
determine the hostname and port. Given this, we could say that the RFC  
registering a scheme should be referenced to determine the default  
port, or we could include the rule for specific well-known schemes.  
well-known schemes are where the bulk of any interoperability issues  
will lie anyway, and for security, it's probably ok if implementations  
err on the side of considering two URIs not to be the same origin when  
in doubt.

> Could you say how you'd envision the fix to address the problem?

The current spec doesn't define "same origin" at all. Thinking about  
it more though, it seems like it would be impossible to define  
correctly without extensive detailed reference to HTML details.

Regards,
Maciej
Received on Wednesday, 29 August 2007 06:51:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT