Re http://tools.ietf.org/html/draft-ietf-websec-origin#section-5
So when you say that a URI "has" an origin, that isn't quite true, right? Some URIs have infinitely many origins, and you get a new one whenever you ask for one. To know when you have to ask for a new one and not reuse the one you got to use before, you have to ... what? Is there some mysterious other attribute or state that goes along with the URI that you use to decide whether the second instance of the "same" URI is different enough to want to get a new origin? -----Original Message----- From: Adam Barth [mailto:[email protected]] Sent: Sunday, November 27, 2011 11:17 AM To: Larry Masinter Cc: Tobias Gondrom; [email protected] Subject: Re: [websec] Define cross-origin On Sun, Nov 27, 2011 at 9:42 AM, Larry Masinter <[email protected]> wrote: > In my experience, it's possible make editorial changes without significant > hiccup as long as it is clear there is no objection -- and adding a > non-controversial term definition would seem to be editorial. > > However, I'm really baffled by "Two URIs are the same-origin if their origins > are the same." > > NOTE: A URI is not necessarily same-origin with itself. For > example, a data URI [RFC2397] is not same-origin with itself > because data URIs do not use a server-based naming authority and > therefore have globally unique identifiers as origins. > > If "origin" is an attribute of a "URI", then a.origin = a.origin. Origin is not an attribute of a URI. It's a value you can compute from a URI. > If a URI "has" an origin, how can that origin be subject to change, > mathematically. > I suppose this is a result of using a normative algorithm in 4 instead of a > set of invariants. It's a result of how the web works. However we define origin, it needs to be the case that a URI is not necessarily same-origin with itself. > Perhaps section 5 should instead say: > > Two URIs are "same origin" if computing their origins result in the same > value, and "cross-origin" if the results are different. > Note that in this formulation, a URI is not necessarily same-origin with > itself; for example, a data URI [RFC2397] is not same-origin with itself > because data URIs do not use a server-based naming authority, and different > invocations of the "origin" computation will result in different (globally > unique) origins. That's fine, but I would remove the phrase about "formulation". It does't have anything to do with this particular formulation of this concept. It's a consequence of the concept itself. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
