On Aug 29, 2007, at 12:03 AM, Boris Zbarsky wrote:
Maciej Stachowiak wrote:
Any definition of a same-origin policy would have to define how to
determine the hostname and port.
For what it's worth, an origin in Gecko also includes the scheme.
This handles things like http-to-https access (not allowed), unknown
schemes (only same-origin with another URI for that same unknown
scheme no matter what) and so forth well.
Yes, we compare schemes as well, I just mentioned this because getting
the scheme is obvious, while getting the host might in principle be
scheme-specific.
-Boris
P.S. If we do want to specify what an "origin" is we should perhaps
also think about URI schemes that do not have a host and port.
That's part of what makes things complicated. In a web page, for
example, the origin for a frame that loaded "about:blank" will be the
URI of its parent, not its own URI. Similarly for windows and openers.
The XHR spec might be able to tell you what to do with the origin URI
once you have it, and how to compare it to the URI to be loaded, but
it can't tell you what the origin URI actually is. Probably the best
hope for now is to include it in the HTML5 spec, although it's really
needed for non-HTML languages as well.
Regards,
Maciej
