[webkit-dev] Security Origins
Adam Barth
abarth at webkit.org
Mon Jun 1 23:30:57 PDT 2009
On Mon, Jun 1, 2009 at 8:29 PM, Jeremy Orlow <jorlow at chromium.org> wrote:
> If this is the only issue, the parsing code could work around it. There are
> 3 parts to the identifier: the protocol (should never have a _ in it,
> right?), the domain, and the port (once again, should never have a _). It
> seems as though the parsing code should look for the first _, the last _,
> and then assume everything in the middle is the domain.
I don't know of any reason why a scheme can't have a _... If you'd
like to change the parsing code to understand domains with a _ this
way, I think that would be an improvement.
> Doesn't seem like a top priority, but maybe it's worth filing a low priority
> bug for it anyway. Although they are 2 somewhat distinct use cases and I
> see the possibility for misuse and bad assumptions, I'm not terribly worried
> about it.
I think HTML 5 has notions of "origin" and "effective script origin"
(or some such) that separate these two concepts. It might be worth
syncing up our internal names with the spec to make these concepts
more accessible to future developers.
Adam
More information about the webkit-dev
mailing list