- From: Simon Pieters <simonp@opera.com>
- Date: Thu, 15 Jul 2010 14:13:02 +0200
On Thu, 15 Jul 2010 13:38:49 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote: > On 7/15/10 3:40 AM, Simon Pieters wrote: >> The simple way to pass in the current origin, per spec, is to use the >> string "/". > > Sounds like yet another spec change? Gecko certainly doesn't support > that, so it wasn't in the spec when we implemented... http://html5.org/tools/web-apps-tracker?from=4719&to=4720 Do you think the special value "/" is a good enough replacement for location.href as the targetOrigin to remove the ability to pass in a path in Gecko? >>> The alternative is that scripts will be parsing location.href >>> themselves to extract the thing to pass as the origin string, which is >>> just asking for security fail in my experience. >> >> Even without the special string "/", a simple enough way to construct >> the origin is location.protocol+"//"+location.host. > > Thanks for an _excellent_ illustration of my point. > > Your code will happily pass in strings like "about://" for about:blank, > "jar://example.com" for "jar:http://example.com/!" (when the correct > origin is "http://example.com/", etc. It's _exactly_ the sort of naive > "everything is http" URI parsing that will get you in trouble in edge > cases. Yeah, true. -- Simon Pieters Opera Software
Received on Thursday, 15 July 2010 05:13:02 UTC