[Bug 11203] Canvas security model does not allow for same-origin relaxation from bugzilla@jessica.w3.org on 2010-11-04 (public-html-bugzilla@w3.org from November 2010)

From: <bugzilla@jessica.w3.org>
Date: Thu, 04 Nov 2010 00:06:02 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1PDnL8-0007xQ-3t@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=11203

--- Comment #10 from Boris Zbarsky <bzbarsky@mit.edu> 2010-11-04 00:06:01 UTC ---
> so long as A and B are part of the same parent domain.

Unfortunately, no.  It's common to use separate subdomains for security
isolation; changing that would lead to security holes in all sorts of existing
sites.

> depends on the UAs to properly set up the Origin header on the request,

I believe Webkit and Gecko have both been working on doing this for all
requests.

I don't know the answer to your cookies question off the top of my head.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Thursday, 4 November 2010 00:06:04 UTC