W3C home > Mailing lists > Public > public-webapi@w3.org > September 2007

Re: XHR: definition of same-origin

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 25 Sep 2007 13:55:53 -0700
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, "Web API WG (public)" <public-webapi@w3.org>
Message-Id: <E2BDCF5E-3B72-440B-8B80-8BBBDAB2F3BF@apple.com>
To: Anne van Kesteren <annevk@opera.com>


On Sep 25, 2007, at 5:53 AM, Anne van Kesteren wrote:

>
> On Wed, 29 Aug 2007 08:51:29 +0200, Maciej Stachowiak  
> <mjs@apple.com> wrote:
>>> Could you say how you'd envision the fix to address the problem?
>>
>> The current spec doesn't define "same origin" at all. Thinking  
>> about it more though, it seems like it would be impossible to  
>> define correctly without extensive detailed reference to HTML  
>> details.
>
> Do you still think this is true? What exactly is needed from HTML?

I'm not sure offhand if baseURI is the right way to determine the  
security domain. While setting document.domain does not apply, frames  
or windows initially loaded with about:blank or no URI at all  
generally get the security domain of their parent frame or opener  
respectively. I am not certain if this is also supposed to be  
reflected in baseURI in all cases, but in any case it doesn't in  
Safari (<iframe src="about:blank"> gets a baseURI of about:blank). So  
I don't think the spec can define the browsing context's origin  
without reference to HTML.

Regards,
Maciej
Received on Tuesday, 25 September 2007 20:56:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT