W3C home > Mailing lists > Public > public-webapi@w3.org > September 2007

Re: XHR: definition of same-origin

From: Asbjørn Ulsberg <asbjorn@ulsberg.no>
Date: Fri, 21 Sep 2007 09:46:50 +0200
To: "Boris Zbarsky" <bzbarsky@mit.edu>
Cc: "Maciej Stachowiak" <mjs@apple.com>, "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.tyzujwj45rel5w@eg10237.ad.ergogroup.no>

On Thu, 20 Sep 2007 18:40:09 +0200, Boris Zbarsky <bzbarsky@MIT.EDU> wrote:

>>  Can't we just reference RFC-3986, section 6.2.2 and 6.2.3?
>
> I don't see those saying anything about same-origin.  What am I missing?

Well, a fully normalized URI would be much easier to compare. The example  
URIs given earlier in this thread would, if normalized, be the exact same  
URIs. From RFC-3986 section 3.2.3:

#  A scheme may define a default port.  For example, the "http" scheme
#  defines a default port of "80", corresponding to its reserved TCP
#  port number.  The type of port designated by the port number (e.g.,
#  TCP, UDP, SCTP) is defined by the URI scheme.  URI producers and
#  normalizers should omit the port component and its ":" delimiter if
#  port is empty or if its value would be the same as that of the
#  scheme's default.

> I do think that same-origin checks must be done on fully normalized  
> URIs, of course.  Anything else doesn't make sense, really.

Indeed. And that makes at least the example given in this thread void.  
There are perhaps more complex examples where two URIs would appear  
different even after normalization, but stuff like default port numbers  
doesn't.

-- 
Asbjørn Ulsberg          -=|=-         asbjorn@ulsberg.no
«He's a loathsome offensive brute, yet I can't look away»
Received on Friday, 21 September 2007 07:47:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT