Re: wrt HTTP Origin header serialization (was Re: The HTTP Sec-From Header (draft-abarth-origin)) from Adam Barth on 2009-10-29 (ietf-http-wg@w3.org from October to December 2009)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 29 Oct 2009 14:43:30 -0700
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <7789133a0910291443h11a701b2tdb5a6eef89fba006@mail.gmail.com>

On Wed, Oct 28, 2009 at 11:27 AM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
> Also, it appears the Gecko window.postMessage() method documentation denotes
> it as a URI..
>
>  Gecko DOM Reference - window.postMessage
>  https://developer.mozilla.org/en/DOM/window.postMessage
>
>  " targetOrigin
>      Specifies what the origin of otherWindow must be for the event to be
>      dispatched, either as the literal string "*" (indicating no preference)
>      or as a URI."

The targetOrigin parameter actually *is* a URI.  I meant the origin
property of the MessageEvent.

> On the surface this would seem to not be a big deal, but it apparently is
> causing (at least) the W3C systems folk some grief because there's some
> software out there  that behaves thus: "if it looks like an http URI,
> dereference it". (this is apparently putting some non-trivial load on W3C
> servers for > 2 yrs now).

That problem is caused by putting these URI in documents stored on
servers.  Here we're sending the string from the client to the server.
 Don't we already have this problem for Referer?  It doesn't seem like
that big a deal in this case.

> So I'm just guessing here that window.postMessage() was (initially) crafted
> the way it is because they wanted the programmer to be able to just pass it
> the URI at hand, whose 'origin' they wished to 'state', without parsing the
> URI to extract the origin.

That's correct for targetOrigin, but not for the origin property of
MessageEvent.  The syntax for the origin property was chosen to
compactly package the scheme and the host in a familiar form.  It's
possible we should have used something else, but that's water under
the bridge at this point.

> Tho, presummably if a browser impl has a URL handling interface, like Chrome
> does (GURL), and already has a getOrigin() method (as Chrome apparently does
> [1] -- getOrigin() used in postMessage() impl), then updating the origin
> serialization could ostensibly be accomplished....  (whether or not
> serialized origins are scrawled down in persistent data anwhere  would of
> course complicate things) ... tho this list isn't the place to discuss impl
> details.

Regardless, there are lots of web sites that depend on the particular
serialization we already shipped for postMessage.  The benefits of
adding a new, different serialization here don't seem to out-weigh the
costs.

Adam

Received on Thursday, 29 October 2009 21:44:31 UTC