W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: [access-control] Update

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 10 Jul 2008 14:45:59 -0700
Cc: Anne van Kesteren <annevk@opera.com>, Web Applications Working Group WG <public-webapps@w3.org>
Message-Id: <C90775D7-88EF-4104-8A7A-430381E77074@apple.com>
To: Jonas Sicking <jonas@sicking.cc>

On Jul 10, 2008, at 4:17 AM, Jonas Sicking wrote:

> Jonas Sicking wrote:
>> Anne van Kesteren wrote:
>>> On Thu, 10 Jul 2008 01:13:52 +0200, Jonas Sicking  
>>> <jonas@sicking.cc> wrote:
>>>> Anne van Kesteren wrote:
>>>>> This is exactly how postMessage() works and it seems nice to  
>>>>> align with that.
>>>> I am very strongly against this syntax as it gives a false sense  
>>>> of security. To the point where I don't think I'd be willing to  
>>>> implement it in firefox. The fact that postMessage allows this  
>>>> sounds very unfortunate and something that I will look into  
>>>> fixing in that spec.
>>> Let me know how that works out. postMessage() is shipping already  
>>> in various implementations...
>> I will keep you updated.
>> Until then I very strongly feel we need to change the parsing rules  
>> to refer to rfcs 3986 and 3490 the way the previous draft did.
> To make it clear, since i'll be on vacation and won't be very  
> responsive on email the coming week, the current syntax is not  
> acceptible to mozilla. If referring to the above rfcs is not an  
> option for some reason, we need to define the syntax in some other  
> way that disallows full uris that includes paths.

There doesn't seem to be a big advantage to allowing Access-Control- 
Origin URIs to accept a path, since Origin won't include one and the  
most likely case is to echo it back.

Received on Thursday, 10 July 2008 21:46:48 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC