- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 26 Sep 2008 20:40:43 -0400
- To: Ian Hickson <ian@hixie.ch>
- CC: HTML WG <public-html@w3.org>
Ian Hickson wrote: > Wouldn't the "null" value that has to be passed in such cases be enough to > detect those cases? Possibly. I'll be honest; what largely prompted this is that people started trying to add all sorts of just-slightly-different origin stringification methods to Gecko code, and any time I see that sort of thing happening with security code it gives me the "someone will change one of these functions and forget to change others" willies. Which is why ideally there would only be one function involved, period.... That's hard enough already with the Unicode vs ASCII thing in the spec, but all the _different_ special-casing of the non-host case makes it a lot worse. > I agree that would be a possible benefit. Fundamentally, by the way, that's what Access-Control seems to rely on... > It seems, though I could of course be wrong, that exposing internals is a > bigger disadvantage than the benefit gained. If we care, we could probably even standardize a form for the globally unique identifier (say something like "html5-unique-origin:" followed by a reasonable GUID serialization). -Boris
Received on Saturday, 27 September 2008 00:41:29 UTC