On May 16, 2008, at 12:04 AM, Julian Reschke wrote:
Maciej Stachowiak wrote:
In practice it is much more important for same-origin to be
implemented
consistently between XHR and HTML5 (and other Web standards) than
for it
to be precisely consistent cross-browser, as inconsistencies in the
same-origin policy could lead to security holes. Thus, taking a
snapshot
of what HTML5 says and putting it in XHR1 would be a dead letter,
because if HTML5 changes and browsers change to match it, they will
not
leave their XHR implementation using an older version of the security
policy.
Interesting enough, this seems to be exactly the opposite of what Ian
just said :-):
HTML5 and browsers all differ slightly from each other on these
issues. Though HTML5 does not aim to invent anything in the area of
cross-domain security, I think there will be iterative convergence
among the implementations and the spec.
The point is, if XHR1 ends up requiring something different than HTML5
does, at least one of those will be ignored by implementors. Or to
look at it another way, either HTML5 will not change on anything it
requires on this, in which case citing its definitions won't actually
change the meaning of XHR1 in the future; or it will change, in which
case having an obsolete copy of the definitions in XHR1 will be
actively harmful.
So we should either cite by reference or be prepared to promptly issue
errata in the future.
Regards,
Maciej
Ian> The point is that Apple and Microsoft are both going to
implement the
Ian> thing as required by the Web in 2000, not as defined in HTML5.
HTML5 is
Ian> describing existing practice on these matters, not defining new
material.
BR, Julian
