- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 15 Jul 2010 07:38:49 -0400
On 7/15/10 3:40 AM, Simon Pieters wrote: > The simple way to pass in the current origin, per spec, is to use the > string "/". Sounds like yet another spec change? Gecko certainly doesn't support that, so it wasn't in the spec when we implemented... >> The alternative is that scripts will be parsing location.href >> themselves to extract the thing to pass as the origin string, which is >> just asking for security fail in my experience. > > Even without the special string "/", a simple enough way to construct > the origin is location.protocol+"//"+location.host. Thanks for an _excellent_ illustration of my point. Your code will happily pass in strings like "about://" for about:blank, "jar://example.com" for "jar:http://example.com/!" (when the correct origin is "http://example.com/", etc. It's _exactly_ the sort of naive "everything is http" URI parsing that will get you in trouble in edge cases. -Boris
Received on Thursday, 15 July 2010 04:38:49 UTC