Re: [manifest] Parsing origins, was Re: Review of Web Application Manifest Format and Management APIs from Marcos Caceres on 2012-05-26 (public-webapps@w3.org from April to June 2012)

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Sat, 26 May 2012 22:21:36 +0100
To: Adam Barth <w3c@adambarth.com>
Cc: Anant Narayanan <anant@mozilla.com>, Marcos Caceres <w3c@marcosc.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-Id: <2FE643E0-514A-46BC-942B-E196A9C9E675@gmail.com>

On May 26, 2012, at 7:23 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Sat, May 26, 2012 at 10:26 AM, Anant Narayanan <anant@mozilla.com> wrote:
>> On 05/25/2012 11:11 PM, Adam Barth wrote:
>>> On Fri, May 25, 2012 at 7:39 AM, Marcos Caceres<w3c@marcosc.com>  wrote:
>>>> On Sunday, May 13, 2012 at 5:47 PM, Anant Narayanan wrote:
>>>>>>> installs_allowed_from: An array of origins that are allowed to trigger
>>>>>>> installation of this application. This field allows the developer to
>>>>>>> restrict installation of their application to specific sites. If the value
>>>>>>> is omitted, installs are allowed from any site.
>>>>>> 
>>>>>> How are origins parsed?
>>>>> 
>>>>> I'm not sure what the question means, but origins are essentially a
>>>>> combination of [protocol]://[hostname]:[port]. Whenever an install is
>>>>> triggered, the UA must check if the origin of the page triggering the
>>>>> install is present in this array. * is a valid value for
>>>>> installs_allowed_from, in which case the UA may skip this check.
>>>> 
>>>> By parsing I mean which ones win, which ones get discarded, what happens
>>>> to invalid ones, are they resolved already, etc. in the following:
>>>> 
>>>> installs_allowed_from: [ "   http://foo/ ", "bar://", 22,
>>>> "https://foo/bar/#*", "http://foo:80/", "wee!!!", "http://baz/hello there!",
>>>> "http://baz/hello%20there!"]
>>>> 
>>>> And so on. So, all the error handling stuff. Or is a single error fatal?
>>> 
>>> I seem to have missed the context for this thread, but typically
>>> origins are not parsed.  They're compared character-by-character to
>>> see if they're identical.  If you have a URL, you can find its origin
>>> and then serialize it to ASCII or Unicode if you want to compare it
>>> with another origin.
>> 
>> Ah we could certainly do this, but in our current implementation a single
>> error is fatal. I do like the idea of not making sure that the origins are
>> valid, especially for installs_allowed_from.
> 
> As a point of reference, here's what CORS does:
> 
> ---8<---
> If the value of Access-Control-Allow-Origin is not a case-sensitive
> match for the value of the Origin header as defined by its
> specification, return fail and terminate this algorithm.
> --->8---
> 
> http://www.w3.org/TR/cors/#resource-sharing-check-0
> 
> I would encourage you not to allow sloppiness in origins.  That's just
> asking for security problems.
> 

I agree, but at a minimum, define how to deal with white space and escaped character sequences.

Received on Saturday, 26 May 2012 21:22:11 UTC