W3C home > Mailing lists > Public > public-webapi@w3.org > September 2007

Re: XHR: definition of same-origin

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 26 Sep 2007 16:30:14 +0200
To: "Boris Zbarsky" <bzbarsky@mit.edu>
Cc: "Maciej Stachowiak" <mjs@apple.com>, "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.ty9mkox364w2qv@annevk-t60.oslo.opera.com>

On Wed, 26 Sep 2007 16:06:08 +0200, Boris Zbarsky <bzbarsky@MIT.EDU> wrote:
> Anne van Kesteren wrote:
>> Yes. If I get all this stuff correctly a script could be running on  
>> bar.com using the XMLHttpRequest from another frame which is on  
>> foo.bar.com. Depending on which definition is used it can either access  
>> bar.com or foo.bar.com content (but not both), right?
>
> Basically, yes.

Hmm, actually, per HTML5 it seems that's impossible because the origin of  
bar.com and foo.bar.com are not the same and therefore you can't access  
any members of foo.bar.com from bar.com or vice versa. document.domain can  
change this I suppose, but doesn't it change the origin as well then for  
both domains making this not a problem for deciding what the origin is?  
(It's still relevant of course for determining how to resolve URIs.)


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 26 September 2007 14:30:40 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 10 December 2014 20:05:34 UTC