W3C home > Mailing lists > Public > public-webapi@w3.org > September 2007

Re: XHR: definition of same-origin

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 26 Sep 2007 14:55:36 +0200
To: "Maciej Stachowiak" <mjs@apple.com>
Cc: "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.ty9h6qsc64w2qv@annevk-t60.oslo.opera.com>

On Tue, 25 Sep 2007 22:55:53 +0200, Maciej Stachowiak <mjs@apple.com>  
wrote:
> I'm not sure offhand if baseURI is the right way to determine the  
> security domain. While setting document.domain does not apply, frames or  
> windows initially loaded with about:blank or no URI at all generally get  
> the security domain of their parent frame or opener respectively. I am  
> not certain if this is also supposed to be reflected in baseURI in all  
> cases, but in any case it doesn't in Safari (<iframe src="about:blank">  
> gets a baseURI of about:blank). So I don't think the spec can define the  
> browsing context's origin without reference to HTML.

Thanks. So it say the that the origin of the Document object associated  
with the Window pointer is the origin of the request. With a reference to  
HTML5 to see what the origin of such a Document object actually is. Or  
should it simply be the origin of the script?


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 26 September 2007 12:55:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT