- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sun, 28 Sep 2008 22:57:26 -0400
- To: Anne van Kesteren <annevk@opera.com>
- CC: HTML WG <public-html@w3.org>
Anne van Kesteren wrote: > Actually, per a recent update it will be the empty string. (It > references the ASCII origin string from HTML5.) OK. That helps a good bit. > This still allows you to differentiate between legacy and modern clients > though, as legacy clients won't include the header. Good catch. > Why do you need a string serialization for those cases? I don't think > you do. In practice, we (Gecko) must be able to produce a string serialization of all origins, because the Java security model relies on it. (Yes, I know I should have mentioned this before; I just did a search for places where we actually stringify origins). I strongly suspect that returning an empty origin to Java would cause security bugs, so we need to continue returning nonempty globally unique strings there as needed. I'd love to have proof that this suspicion is wrong. The only remaining question is whether Java will see the same origins as everything else; from a security standpoint this would be optimal, of course. -Boris
Received on Monday, 29 September 2008 03:08:07 UTC