- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 14 Jul 2010 20:18:33 -0400
On 7/14/10 6:40 PM, Hallvord R M Steen wrote: > My personal opinion is that protocol+host+port is better, simply > because authors might assume the path is significant (i.e. think that > 'http://www.geocities.com/foo' and 'http://www.geocities.com/bar' > would be different origins). Allowing paths that are simply ignored > might muddle the "origin" concept - not a major problem, but a small > potential point of confusion. I've actually used urls with a path for the origin; specifically when I wanted to pass in "the origin of this page". In particular, I passed in location.href. I'm fine with removing the ability to pass in a path _if_ we create a simple way for scripts to get origins from pages which can then be passed for this argument. The alternative is that scripts will be parsing location.href themselves to extract the thing to pass as the origin string, which is just asking for security fail in my experience. -Boris
Received on Wednesday, 14 July 2010 17:18:33 UTC