- From: Simon Pieters <simonp@opera.com>
- Date: Thu, 15 Jul 2010 09:40:50 +0200
On Thu, 15 Jul 2010 02:18:33 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote: > On 7/14/10 6:40 PM, Hallvord R M Steen wrote: >> My personal opinion is that protocol+host+port is better, simply >> because authors might assume the path is significant (i.e. think that >> 'http://www.geocities.com/foo' and 'http://www.geocities.com/bar' >> would be different origins). Allowing paths that are simply ignored >> might muddle the "origin" concept - not a major problem, but a small >> potential point of confusion. > > I've actually used urls with a path for the origin; specifically when I > wanted to pass in "the origin of this page". In particular, I passed in > location.href. > > I'm fine with removing the ability to pass in a path _if_ we create a > simple way for scripts to get origins from pages which can then be > passed for this argument. The simple way to pass in the current origin, per spec, is to use the string "/". > The alternative is that scripts will be parsing location.href themselves > to extract the thing to pass as the origin string, which is just asking > for security fail in my experience. Even without the special string "/", a simple enough way to construct the origin is location.protocol+"//"+location.host. -- Simon Pieters Opera Software
Received on Thursday, 15 July 2010 00:40:50 UTC