- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 27 Nov 2008 02:19:18 +0000 (UTC)
On Fri, 13 Jun 2008, Adam Barth wrote: > > The current draft of the spec doesn't specify how to compute the cookie > context for a document. Here is how to compute it: > > A document's cookie context can be represented as a URI and largely (but > not exactly) follows the document's origin. > > 1) If the document does not have a browsing context (e.g., it was > retrieved via XMLHttpRequest or created using createDocument) then it's > cookie context is "" or about:blank (or whatever you prefer for "I don't > have a cookie context"). > > 2) If the document was served over the network and has an address that > uses a URI scheme with a server-based naming authority, then the > document's cookie context is that URI. I've specced the above, including the handling of document.open(). > 3) If the document has the URI about:blank or "", then, like the origin, > the document's cooke context is the cookie context of the parent > browsing context (if it has a parent) or the cookie context of the > opener browsing context (if it has an opener but no parent). Failing > that, the document's cookie context is about:blank or "" (or whatever > you prefer for "I don't have a cookie context"). I wasn't able to reproduce this. In particular, I couldn't work out what browsers were doing for the case of setting cookies on an about:blank frame. It wasn't reflecting the cookies on the parent browsing context. I've made the spec say that for these cases (specifically, when the document URI doesn't have a server-based naming authority) that .cookie always returns "". If this isn't implementable, it would be helpful to have test cases demonstrating what exactly it should specify. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 26 November 2008 18:19:18 UTC