- From: Maciej Stachowiak <mjs@apple.com>
- Date: Tue, 25 Sep 2007 13:55:53 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, "Web API WG (public)" <public-webapi@w3.org>
On Sep 25, 2007, at 5:53 AM, Anne van Kesteren wrote: > > On Wed, 29 Aug 2007 08:51:29 +0200, Maciej Stachowiak > <mjs@apple.com> wrote: >>> Could you say how you'd envision the fix to address the problem? >> >> The current spec doesn't define "same origin" at all. Thinking >> about it more though, it seems like it would be impossible to >> define correctly without extensive detailed reference to HTML >> details. > > Do you still think this is true? What exactly is needed from HTML? I'm not sure offhand if baseURI is the right way to determine the security ___domain. While setting document.___domain does not apply, frames or windows initially loaded with about:blank or no URI at all generally get the security ___domain of their parent frame or opener respectively. I am not certain if this is also supposed to be reflected in baseURI in all cases, but in any case it doesn't in Safari (<iframe src="about:blank"> gets a baseURI of about:blank). So I don't think the spec can define the browsing context's origin without reference to HTML. Regards, Maciej
Received on Tuesday, 25 September 2007 20:56:09 UTC