That's up to specifications that use this document. For example, HTML5 is clear about when it computes the origin from a URI.
Adam On Sun, Nov 27, 2011 at 12:18 PM, Larry Masinter <[email protected]> wrote: > Re http://tools.ietf.org/html/draft-ietf-websec-origin#section-5 > > So when you say that a URI "has" an origin, that isn't quite true, right? > Some URIs have infinitely many origins, and you get a new one whenever you > ask for one. To know when you have to ask for a new one and not reuse the one > you got to use before, you have to ... what? Is there some mysterious other > attribute or state that goes along with the URI that you use to decide > whether the second instance of the "same" URI is different enough to want to > get a new origin? > > > -----Original Message----- > From: Adam Barth [mailto:[email protected]] > Sent: Sunday, November 27, 2011 11:17 AM > To: Larry Masinter > Cc: Tobias Gondrom; [email protected] > Subject: Re: [websec] Define cross-origin > > On Sun, Nov 27, 2011 at 9:42 AM, Larry Masinter <[email protected]> wrote: >> In my experience, it's possible make editorial changes without significant >> hiccup as long as it is clear there is no objection -- and adding a >> non-controversial term definition would seem to be editorial. >> >> However, I'm really baffled by "Two URIs are the same-origin if their >> origins are the same." >> >> NOTE: A URI is not necessarily same-origin with itself. For >> example, a data URI [RFC2397] is not same-origin with itself >> because data URIs do not use a server-based naming authority and >> therefore have globally unique identifiers as origins. >> >> If "origin" is an attribute of a "URI", then a.origin = a.origin. > > Origin is not an attribute of a URI. It's a value you can compute from a URI. > >> If a URI "has" an origin, how can that origin be subject to change, >> mathematically. >> I suppose this is a result of using a normative algorithm in 4 instead of a >> set of invariants. > > It's a result of how the web works. However we define origin, it needs to be > the case that a URI is not necessarily same-origin with itself. > >> Perhaps section 5 should instead say: >> >> Two URIs are "same origin" if computing their origins result in the same >> value, and "cross-origin" if the results are different. >> Note that in this formulation, a URI is not necessarily same-origin with >> itself; for example, a data URI [RFC2397] is not same-origin with itself >> because data URIs do not use a server-based naming authority, and different >> invocations of the "origin" computation will result in different (globally >> unique) origins. > > That's fine, but I would remove the phrase about "formulation". It does't > have anything to do with this particular formulation of this concept. It's a > consequence of the concept itself. > > Adam > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
