- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 25 Sep 2007 10:27:20 -0500
- To: Anne van Kesteren <annevk@opera.com>
- CC: "Web API WG (public)" <public-webapi@w3.org>
Anne van Kesteren wrote: > Thanks Boris, Jonas and Maciej for your replies. > > http://dev.w3.org/2006/webapi/XMLHttpRequest/Overview.html#same-origin .... > It would be nice to get some implementation feedback on what to do about > data:, javascript: etc. If you're going to refer to RFC 3987, you probably want to use the same terminology as that RFC. So the things that must be equal for the two URIs are the "scheme", "ihost", and "port". In particular, "ihost" might be an IP address literal (IPv6 or IPv4) and not a domain name. With that caveat, that description basically matches Gecko's implementation for URI schemes that have a concept of ihost. For ones that do not, Gecko's implementation is that two such URIs are same-origin only if they are the same URI object (not string equality, but actual object identity). This covers, data:, javascript:, about:, all unknown URI schemes, etc. In practice, in Gecko, it's very very rare to have a page whose security context corresponds to a data: or javascript: URI; in fact I'm not sure the latter is possible. -Boris
Received on Tuesday, 25 September 2007 15:27:59 UTC