On Sun, Nov 27, 2011 at 9:42 AM, Larry Masinter <[email protected]> wrote: > In my experience, it's possible make editorial changes without significant > hiccup as long as it is clear there is no objection -- and adding a > non-controversial term definition would seem to be editorial. > > However, I'm really baffled by "Two URIs are the same-origin if their origins > are the same." > > NOTE: A URI is not necessarily same-origin with itself. For > example, a data URI [RFC2397] is not same-origin with itself > because data URIs do not use a server-based naming authority and > therefore have globally unique identifiers as origins. > > If "origin" is an attribute of a "URI", then a.origin = a.origin.
Origin is not an attribute of a URI. It's a value you can compute from a URI. > If a URI "has" an origin, how can that origin be subject to change, > mathematically. > I suppose this is a result of using a normative algorithm in 4 instead of a > set of invariants. It's a result of how the web works. However we define origin, it needs to be the case that a URI is not necessarily same-origin with itself. > Perhaps section 5 should instead say: > > Two URIs are "same origin" if computing their origins result in the same > value, and "cross-origin" if the results are different. > Note that in this formulation, a URI is not necessarily same-origin with > itself; for example, a data URI [RFC2397] is not same-origin with itself > because data URIs do not use a server-based naming authority, and different > invocations of the "origin" computation will result in different (globally > unique) origins. That's fine, but I would remove the phrase about "formulation". It does't have anything to do with this particular formulation of this concept. It's a consequence of the concept itself. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
