- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 22 Jul 2016 11:36:29 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Mike West <mkwst@google.com>, Mark Nottingham <mnot@mnot.net>, Roy Fielding <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
Anne,
thanks for the feedback.
On 2016-07-20 09:59, Anne van Kesteren wrote:
> ...
> It really depends on which origin. Origin as a concept is defined by
> HTML: https://html.spec.whatwg.org/multipage/browsers.html#origin.
It seems to me that RFC 6454 has much more text explaining origins and
the same-origin policy. Is that somewhere in the HTML spec as well?
Other than that I notice that the definition of an origin changed to
include one additional component ("domain"), which is optional and seems
to be specific to browser APIs.
I can see why this stuff is needed internally in the browser spec, but
I'm skeptic about this needing to "obsolete" RFC 6454.
> Computing an origin from a URL is defined by URL:
> https://url.spec.whatwg.org/#origin (you'll see it has a dependency on
> HTML for that). Origin as an HTTP header is defined by Fetch:
> https://fetch.spec.whatwg.org/#origin-header.
Which attempts to make an incompatible change to the syntax of the
header field.
<https://github.com/w3c/resource-timing/issues/62#issuecomment-234105413>
seems to indicate that this change would make Chrome and Edge non-compliant.
Best regards, Julian
Received on Friday, 22 July 2016 09:37:12 UTC