- From: Maciej Stachowiak <mjs@apple.com>
- Date: Thu, 10 Jul 2008 14:45:59 -0700
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Anne van Kesteren <annevk@opera.com>, Web Applications Working Group WG <public-webapps@w3.org>
On Jul 10, 2008, at 4:17 AM, Jonas Sicking wrote: > > Jonas Sicking wrote: >> Anne van Kesteren wrote: >>> >>> On Thu, 10 Jul 2008 01:13:52 +0200, Jonas Sicking >>> <jonas@sicking.cc> wrote: >>>> Anne van Kesteren wrote: >>>>> This is exactly how postMessage() works and it seems nice to >>>>> align with that. >>>> >>>> I am very strongly against this syntax as it gives a false sense >>>> of security. To the point where I don't think I'd be willing to >>>> implement it in firefox. The fact that postMessage allows this >>>> sounds very unfortunate and something that I will look into >>>> fixing in that spec. >>> >>> Let me know how that works out. postMessage() is shipping already >>> in various implementations... >> I will keep you updated. >> Until then I very strongly feel we need to change the parsing rules >> to refer to rfcs 3986 and 3490 the way the previous draft did. > > To make it clear, since i'll be on vacation and won't be very > responsive on email the coming week, the current syntax is not > acceptible to mozilla. If referring to the above rfcs is not an > option for some reason, we need to define the syntax in some other > way that disallows full uris that includes paths. There doesn't seem to be a big advantage to allowing Access-Control- Origin URIs to accept a path, since Origin won't include one and the most likely case is to echo it back. Regards, Maciej
Received on Thursday, 10 July 2008 21:46:48 UTC