- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 2 Jun 2009 09:23:34 +0000 (UTC)
On Fri, 9 Jan 2009, Boris Zbarsky wrote: > > I've recently come across another issue with the origin definition. > > Right now, this says: > > 1) If url does not use a server-based naming authority, or if parsing > url failed, or if url is not an absolute URL, then return a new > globally unique identifier. > 2) Return the tuple (scheme, host, port). > > (with some steps to determine the tuple thrown in). > > In Gecko, we actually have three classes of URIs for security purposes: > > 1) Those for which the URI is not same-origin with anything (the > globally unique identifier case). > 2) Those for which the URI is same-origin with anything with the same > scheme+host+port. > 3) Those for which the URI is same-origin with itself but no other URI > (not to be confused with the globally unique identifier case). > > It would be nice if we could express this in terms of the origin setup, but it > doesn't seem to me like that's workable as things stand... On Fri, 9 Jan 2009, Adam Barth wrote: > > Can you give an example of this kind of URI? On Fri, 9 Jan 2009, Boris Zbarsky wrote: > > Yes, of course. IMAP URIs [1] have an authority component which is the > IMAP server. At the same time, each message needs to be treated as a > separate trust domain. > > Similar for the proposed nntp URIs [2]. > > [1] http://www.rfc-editor.org/rfc/rfc5092.txt > [2] http://tools.ietf.org/html/draft-ellermann-news-nntp-uri-11 I've updated the algorithm for deriving an Origin from a URL in the HTML5 spec to handle this case. Adam: I believe that you are editing a draft that also has this algorithm; hat parts of HTML5 should I be stripping here? Will this particular algorithm belong in your draft or HTML5? (If the former, can you take this change also?) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 2 June 2009 02:23:34 UTC