On Sep 25, 2007, at 5:53 AM, Anne van Kesteren wrote:
On Wed, 29 Aug 2007 08:51:29 +0200, Maciej Stachowiak
<[EMAIL PROTECTED]> wrote:
Could you say how you'd envision the fix to address the problem?
The current spec doesn't define "same origin" at all. Thinking
about it more though, it seems like it would be impossible to
define correctly without extensive detailed reference to HTML
details.
Do you still think this is true? What exactly is needed from HTML?
I'm not sure offhand if baseURI is the right way to determine the
security domain. While setting document.domain does not apply, frames
or windows initially loaded with about:blank or no URI at all
generally get the security domain of their parent frame or opener
respectively. I am not certain if this is also supposed to be
reflected in baseURI in all cases, but in any case it doesn't in
Safari (<iframe src="about:blank"> gets a baseURI of about:blank). So
I don't think the spec can define the browsing context's origin
without reference to HTML.
Regards,
Maciej
