- From: Asbjørn Ulsberg <asbjorn@ulsberg.no>
- Date: Fri, 21 Sep 2007 09:46:50 +0200
- To: "Boris Zbarsky" <bzbarsky@mit.edu>
- Cc: "Maciej Stachowiak" <mjs@apple.com>, "Web API WG (public)" <public-webapi@w3.org>
On Thu, 20 Sep 2007 18:40:09 +0200, Boris Zbarsky <bzbarsky@MIT.EDU> wrote: >> Can't we just reference RFC-3986, section 6.2.2 and 6.2.3? > > I don't see those saying anything about same-origin. What am I missing? Well, a fully normalized URI would be much easier to compare. The example URIs given earlier in this thread would, if normalized, be the exact same URIs. From RFC-3986 section 3.2.3: # A scheme may define a default port. For example, the "http" scheme # defines a default port of "80", corresponding to its reserved TCP # port number. The type of port designated by the port number (e.g., # TCP, UDP, SCTP) is defined by the URI scheme. URI producers and # normalizers should omit the port component and its ":" delimiter if # port is empty or if its value would be the same as that of the # scheme's default. > I do think that same-origin checks must be done on fully normalized > URIs, of course. Anything else doesn't make sense, really. Indeed. And that makes at least the example given in this thread void. There are perhaps more complex examples where two URIs would appear different even after normalization, but stuff like default port numbers doesn't. -- Asbjørn Ulsberg -=|=- asbjorn@ulsberg.no «He's a loathsome offensive brute, yet I can't look away»
Received on Friday, 21 September 2007 07:47:01 UTC