- From: Maciej Stachowiak <mjs@apple.com>
- Date: Tue, 25 Sep 2007 13:55:53 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, "Web API WG (public)" <public-webapi@w3.org>
On Sep 25, 2007, at 5:53 AM, Anne van Kesteren wrote: > > On Wed, 29 Aug 2007 08:51:29 +0200, Maciej Stachowiak > <mjs@apple.com> wrote: >>> Could you say how you'd envision the fix to address the problem? >> >> The current spec doesn't define "same origin" at all. Thinking >> about it more though, it seems like it would be impossible to >> define correctly without extensive detailed reference to HTML >> details. > > Do you still think this is true? What exactly is needed from HTML? I'm not sure offhand if baseURI is the right way to determine the security domain. While setting document.domain does not apply, frames or windows initially loaded with about:blank or no URI at all generally get the security domain of their parent frame or opener respectively. I am not certain if this is also supposed to be reflected in baseURI in all cases, but in any case it doesn't in Safari (<iframe src="about:blank"> gets a baseURI of about:blank). So I don't think the spec can define the browsing context's origin without reference to HTML. Regards, Maciej
Received on Tuesday, 25 September 2007 20:56:09 UTC