W3C home > Mailing lists > Public > public-webapi@w3.org > August 2007

Re: XHR: definition of same-origin

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 29 Aug 2007 05:25:51 +0200
To: Maciej Stachowiak <mjs@apple.com>
Cc: "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <jpo9d399nrenc6rgegcs1gi2v27s4gniu5@hive.bjoern.hoehrmann.de>

* Maciej Stachowiak wrote:
>The XHR spec doesn't define same-origin. We had a webkit bug filed  
>differently where we apparently interpreted same-origin differently  
>than IE or Firefox: <http://bugs.webkit.org/show_bug.cgi?id=15100>
>In particular, we would not consider https://example.com:443/ to be  
>the same origin as https://example.com/.
>Since this affects interoperability as well as security I would  
>suggest adding a definition, unless the spec expected to define same- 
>origin is going to happen soon.

That might make sense, but I am unsure how the bug you mention is
relevant here. It seems clear to me that https://example.com:443/
and https://example.com/ are exactly the same resource identifier,
just like HTTPS://example.COM is the same as https://example.com/.

It seems to me that if we add some kind of definition, we would
not make explicit all the scheme-specific equivalence rules, and
as such not really clarify the matter for the specific issue you
mention. Could you say how you'd envision the fix to address the
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 29 August 2007 03:44:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:57 UTC