W3C home > Mailing lists > Public > public-webapi@w3.org > September 2007

Re: XHR: definition of same-origin

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 25 Sep 2007 10:27:20 -0500
Message-ID: <46F928D8.2060701@mit.edu>
To: Anne van Kesteren <annevk@opera.com>
CC: "Web API WG (public)" <public-webapi@w3.org>

Anne van Kesteren wrote:
> Thanks Boris, Jonas and Maciej for your replies.
> 
>   http://dev.w3.org/2006/webapi/XMLHttpRequest/Overview.html#same-origin
....
> It would be nice to get some implementation feedback on what to do about 
> data:, javascript: etc.

If you're going to refer to RFC 3987, you probably want to use the same 
terminology as that RFC.  So the things that must be equal for the two URIs are 
the "scheme", "ihost", and "port".  In particular, "ihost" might be an IP 
address literal (IPv6 or IPv4) and not a domain name.

With that caveat, that description basically matches Gecko's implementation for 
URI schemes that have a concept of ihost.  For ones that do not, Gecko's 
implementation is that two such URIs are same-origin only if they are the same 
URI object (not string equality, but actual object identity).  This covers, 
data:, javascript:, about:, all unknown URI schemes, etc.  In practice, in 
Gecko, it's very very rare to have a page whose security context corresponds to 
a data: or javascript: URI; in fact I'm not sure the latter is possible.

-Boris
Received on Tuesday, 25 September 2007 15:27:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT