I've recently come across another issue with the origin definition.
Right now, this says:
1) If url does not use a server-based naming authority, or if parsing
url failed, or if url is not an absolute URL, then return a new
globally unique identifier.
2) Return the tuple (scheme, host, port).
(with some steps to determine the tuple thrown in).
In Gecko, we actually have three classes of URIs for security purposes:
1) Those for which the URI is not same-origin with anything (the
globally unique identifier case).
2) Those for which the URI is same-origin with anything with the same
scheme+host+port.
3) Those for which the URI is same-origin with itself but no other URI
(not to be confused with the globally unique identifier case).
It would be nice if we could express this in terms of the origin setup,
but it doesn't seem to me like that's workable as things stand...
-Boris
