[whatwg] A document's cookie context

On Fri, 13 Jun 2008, Adam Barth wrote:
>
> The current draft of the spec doesn't specify how to compute the cookie 
> context for a document.  Here is how to compute it:
> 
> A document's cookie context can be represented as a URI and largely (but 
> not exactly) follows the document's origin.
> 
> 1) If the document does not have a browsing context (e.g., it was 
> retrieved via XMLHttpRequest or created using createDocument) then it's 
> cookie context is "" or about:blank (or whatever you prefer for "I don't 
> have a cookie context").
> 
> 2) If the document was served over the network and has an address that 
> uses a URI scheme with a server-based naming authority, then the 
> document's cookie context is that URI.

I've specced the above, including the handling of document.open().


> 3) If the document has the URI about:blank or "", then, like the origin, 
> the document's cooke context is the cookie context of the parent 
> browsing context (if it has a parent) or the cookie context of the 
> opener browsing context (if it has an opener but no parent). Failing 
> that, the document's cookie context is about:blank or "" (or whatever 
> you prefer for "I don't have a cookie context").

I wasn't able to reproduce this. In particular, I couldn't work out what 
browsers were doing for the case of setting cookies on an about:blank 
frame. It wasn't reflecting the cookies on the parent browsing context.

I've made the spec say that for these cases (specifically, when the 
document URI doesn't have a server-based naming authority) that .cookie 
always returns "". If this isn't implementable, it would be helpful to 
have test cases demonstrating what exactly it should specify.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 26 November 2008 18:19:18 UTC