- From: Maciej Stachowiak <mjs@apple.com>
- Date: Wed, 29 Aug 2007 00:36:30 -0700
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: "Web API WG (public)" <public-webapi@w3.org>
On Aug 29, 2007, at 12:03 AM, Boris Zbarsky wrote: > Maciej Stachowiak wrote: >> Any definition of a same-origin policy would have to define how to >> determine the hostname and port. > > For what it's worth, an origin in Gecko also includes the scheme. > This handles things like http-to-https access (not allowed), unknown > schemes (only same-origin with another URI for that same unknown > scheme no matter what) and so forth well. Yes, we compare schemes as well, I just mentioned this because getting the scheme is obvious, while getting the host might in principle be scheme-specific. > > > -Boris > > P.S. If we do want to specify what an "origin" is we should perhaps > also think about URI schemes that do not have a host and port. That's part of what makes things complicated. In a web page, for example, the origin for a frame that loaded "about:blank" will be the URI of its parent, not its own URI. Similarly for windows and openers. The XHR spec might be able to tell you what to do with the origin URI once you have it, and how to compare it to the URI to be loaded, but it can't tell you what the origin URI actually is. Probably the best hope for now is to include it in the HTML5 spec, although it's really needed for non-HTML languages as well. Regards, Maciej
Received on Wednesday, 29 August 2007 07:36:42 UTC