- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 30 Apr 2008 20:51:37 +0000 (UTC)
On Wed, 30 Apr 2008, Jeff Walden wrote: > > It was brought up during the latest postMessage patching in Mozilla that > the HTML5-mandated origin for file: URIs groups all local file system > pages into a single origin. Pages are increasingly being used in > application-like contexts, and if Java is any example, grouping all > files into the same origin will eventually be problematic (if one even > chooses to argue it isn't now). (Firefox 3's postMessage will be > intentionally non-conforming with respect to file: pages in that sending > a message to a file: page will only work if you use "*" as the > targetOrigin, in the interests of not having different security > behaviors.) > > Firefox 3 changes from an all-files-are-same-origin model to a > contains-based model, roughly this in at least some cases: a file may > load any file which is a sibling of it, and it may load any file which > is a descendant of the file's parent directory. I'm certain I'm > horribly mangling what actually happens in practice in at least some > situations, based on what I've read of the security comparison > functions, but this is at least a start at describing the behavior for > specification. The original bug was > <https://bugzilla.mozilla.org/show_bug.cgi?id=230606>, but follow > dependencies and read comments to see what sort of issues were actually > encountered in practice and couldn't be ignored without breaking wide > swathes of content. I've changed the spec to allow arbitrary behaviour for file://. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 30 April 2008 13:51:37 UTC