W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [access-control] Update

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 20 Oct 2008 14:08:25 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Cc: Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0810201405330.1237@hixie.dreamhostps.com>

On Wed, 9 Jul 2008, Jonas Sicking wrote:
> > > 
> > > Lastly, the 'URL' token 
> > > http://dev.w3.org/2006/waf/access-control/#url should not be a full 
> > > URL, and I don't think we want to depend on HTML5 for it either. 
> > > Currently we seem to be allowing the syntax
> > > 
> > > Access-Control-Origin: http://foo.com/bar/bin/baz.html
> > > 
> > > which I think is very bad as it seems to indicate that only that 
> > > page would be allowed to POST, which of course isn't something that 
> > > we can enforce.
> > 
> > This is exactly how postMessage() works and it seems nice to align 
> > with that.
> 
> I am very strongly against this syntax as it gives a false sense of 
> security. To the point where I don't think I'd be willing to implement 
> it in firefox. The fact that postMessage allows this sounds very 
> unfortunate and something that I will look into fixing in that spec.
> 
> I don't want to carry this mistake forward into Access-Control.

I have changed postMessage()'s definition to make sure that targetOrigin 
doesn't have a path, query, or fragment part.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 20 October 2008 14:09:01 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT