W3C home > Mailing lists > Public > www-archive@w3.org > August 2007

Re: XHR: definition of same-origin

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 29 Aug 2007 11:20:48 +0200
To: Maciej Stachowiak <mjs@apple.com>
Cc: www-archive@w3.org
Message-ID: <bhdad31mqq98op0smbsf5lf40g8dh8qcdp@hive.bjoern.hoehrmann.de>

* Maciej Stachowiak wrote:
>It would work to specify the rules without specifying how to determine  
>the origin URI of the XHR completely. However, the rule you mention  
>would not work as is. For instance two textually identical data: URLs  
>should not be considered to constitute a same origin for scripting  
>purposes (though for XHR it doesn't matter).

Could you elaborate on why scripts running in data:X should be denied
access to data:X? Clearly they already have complete access to every-
thing in X through parsing their own location's URL and they cannot do
anything beyond accessing that information if you grant access. Per-
haps you meant accessing data:X from http:Y should be allowed?
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 29 August 2007 09:20:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 7 November 2012 14:18:08 GMT