W3C home > Mailing lists > Public > public-webapi@w3.org > August 2007

Re: XHR: definition of same-origin

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 29 Aug 2007 00:36:30 -0700
Cc: "Web API WG (public)" <public-webapi@w3.org>
Message-Id: <538D9425-1677-4A53-BCAA-1461F2362121@apple.com>
To: Boris Zbarsky <bzbarsky@mit.edu>

On Aug 29, 2007, at 12:03 AM, Boris Zbarsky wrote:

> Maciej Stachowiak wrote:
>> Any definition of a same-origin policy would have to define how to  
>> determine the hostname and port.
> For what it's worth, an origin in Gecko also includes the scheme.   
> This handles things like http-to-https access (not allowed), unknown  
> schemes (only same-origin with another URI for that same unknown  
> scheme no matter what) and so forth well.

Yes, we compare schemes as well, I just mentioned this because getting  
the scheme is obvious, while getting the host might in principle be  

> -Boris
> P.S. If we do want to specify what an "origin" is we should perhaps  
> also think about URI schemes that do not have a host and port.

That's part of what makes things complicated. In a web page, for  
example, the origin for a frame that loaded "about:blank" will be the  
URI of its parent, not its own URI. Similarly for windows and openers.  
The XHR spec might be able to tell you what to do with the origin URI  
once you have it, and how to compare it to the URI to be loaded, but  
it can't tell you what the origin URI actually is. Probably the best  
hope for now is to include it in the HTML5 spec, although it's really  
needed for non-HTML languages as well.

Received on Wednesday, 29 August 2007 07:36:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:57 UTC