On Sep 25, 2007, at 5:53 AM, Anne van Kesteren wrote: > > On Wed, 29 Aug 2007 08:51:29 +0200, Maciej Stachowiak > <mjs@apple.com> wrote: >>> Could you say how you'd envision the fix to address the problem? >> >> The current spec doesn't define "same origin" at all. Thinking >> about it more though, it seems like it would be impossible to >> define correctly without extensive detailed reference to HTML >> details. > > Do you still think this is true? What exactly is needed from HTML? I'm not sure offhand if baseURI is the right way to determine the security domain. While setting document.domain does not apply, frames or windows initially loaded with about:blank or no URI at all generally get the security domain of their parent frame or opener respectively. I am not certain if this is also supposed to be reflected in baseURI in all cases, but in any case it doesn't in Safari (<iframe src="about:blank"> gets a baseURI of about:blank). So I don't think the spec can define the browsing context's origin without reference to HTML. Regards, MaciejReceived on Tuesday, 25 September 2007 20:56:09 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT