- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 2 Oct 2007 23:40:33 +0000 (UTC)
- To: public-appformats@w3.org
Right now, if I have a server at example.com that says: Access-Control: allow <http://hixie.ch/> ...it looks like I'm safe, because I control the domains hixie.ch and example.com completely. Except, I'm actually not safe. To be safe, I'd have to say: Access-Control: allow <http://hixie.ch:80/> ...because in fact, anyone with an account on the machine which hosts hixie.ch can open any random port above 1024, and then host a Web server there that claims to be hixie.ch, such that URIs with the prefix: http://hixie.ch:9999/ ...would be under someone else's control. Thus, I think the spec should not default the port to unrestricted. I think that few authors would ever include the port, since the _URI_ syntax "http://hixie.ch/" implies port 80, and they won't think of that as a problem. I recommend that the spec default the port to the default port for the given scheme (80 for http:, 443 for https:, etc). -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 2 October 2007 23:40:49 UTC