- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 16 Sep 2008 01:05:22 +0200
> On the subject of fallbacks, I don't think the spec is quite clear on > how the fallbacks are meant to be loaded. There seem to be two > possible interpretations: > > 1) The fallback resource is loaded by the client as though it were > loaded from the original URI - security decisions are made with the > original URI, and window.location, bookmarks, history, etc. all > reflect the original URI. This is somewhat analogous to the real > server returning fallback content at the original URI. > > 2) The fallback resource is loaded by the client as though it were > loaded from the fallback URI for purposes of security decisions, > window.location, etc. But bookmarks, history, etc all reflect the > original URI. This is somewhat analogous to a server redirect (with > bookmark/history changes to reflect the original URI), or to a frame > at the original URI including the fallback URI (but without the > intermediate window object). > > We need to decide which of these behaviors makes the most sense. The > first seems the most straightforward, though I think we'd want a few > changes: > > a) The fallback URI should be required to have the same origin as the namespace. > b) Maybe there should be some way for the page to know that it was > loaded as a fallback. > > If we settle on the second approach, we need to give the page some way > to find out what the original URI was (since window.location will > point to the fallback URI). It seems to me like 1 is the most expected by the user. For example if I'm browsing around on bugzilla I would expect to see (and be able to bookmark etc) the usual URIs that I see when I'm online. >From a security point of view either seems possible to reason about, though in different ways. (This is assuming that we apply same-origin restrictions, which I really think we should). With 1 you can think of it as if the server had simply returned the resource on the fallback uri, rather than the resource on the usual uri. So it is as if you have a very primitive http server baked in to the browser that can return different resources while in offline mode. With 2 you can think of it as if the server had returned a redirect with some extra parameters pointing out the original URI that was loaded. So it is as if you have a very primitive http server baked in to the browser that can return redirect responses while in offline mode. / Jonas
Received on Monday, 15 September 2008 16:05:22 UTC