- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 20 Oct 2008 15:03:38 +0000 (UTC)
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Mon, 20 Oct 2008, Ian Hickson wrote: > On Wed, 9 Jul 2008, Jonas Sicking wrote: > > > > > > > > Lastly, the 'URL' token > > > > http://dev.w3.org/2006/waf/access-control/#url should not be a > > > > full URL, and I don't think we want to depend on HTML5 for it > > > > either. Currently we seem to be allowing the syntax > > > > > > > > Access-Control-Origin: http://foo.com/bar/bin/baz.html > > > > > > > > which I think is very bad as it seems to indicate that only that > > > > page would be allowed to POST, which of course isn't something > > > > that we can enforce. > > > > > > This is exactly how postMessage() works and it seems nice to align > > > with that. > > > > I am very strongly against this syntax as it gives a false sense of > > security. To the point where I don't think I'd be willing to implement > > it in firefox. The fact that postMessage allows this sounds very > > unfortunate and something that I will look into fixing in that spec. > > > > I don't want to carry this mistake forward into Access-Control. > > I have changed postMessage()'s definition to make sure that targetOrigin > doesn't have a path, query, or fragment part. Now fixed to actually work. Search for "<host-specific>". (Better names welcome.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 20 October 2008 15:04:17 UTC