- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 7 Nov 2014 10:11:16 +0100
- To: Brian Smith <brian@briansmith.org>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Boris Zbarsky <bzbarsky@mit.edu>, Valentin Gosu <valentin.gosu@gmail.com>
On Thu, Nov 6, 2014 at 10:37 PM, Brian Smith <brian@briansmith.org> wrote: > It seems Gecko also treats them as separate origins. So, I guess the > currently-specified behavior may be OK. However, note that there are > negative consequences to this, for example HSTS bypass. > > Regardless of which way is considered correct, I think it would be > useful to clarify this (e.g. with a non-normative example) because I > can see people getting it wrong either way. > > Note that when it comes to certificate hostname matching, Chrome (for > a while) and Firefox (as of recently) both treat "example.com." as > equal to "example.com". It would be interesting to consider if we could normalize the dot away during URL parsing. This would make "http://example.com./" always load "http://example.com/" and we'd basically not expose a way to get to the former. Is that a realistic option? If we cannot do it we should continue to treat them as distinct origins, though perhaps not for certain things, such as HSTS and certificates. -- https://annevankesteren.nl/
Received on Friday, 7 November 2014 09:11:43 UTC