[webkit-dev] Security Origins
Jeremy Orlow
jorlow at chromium.org
Tue Jun 2 00:45:56 PDT 2009
On Mon, Jun 1, 2009 at 11:30 PM, Adam Barth <abarth at webkit.org> wrote:
> On Mon, Jun 1, 2009 at 8:29 PM, Jeremy Orlow <jorlow at chromium.org> wrote:
> > If this is the only issue, the parsing code could work around it. There
> are
> > 3 parts to the identifier: the protocol (should never have a _ in it,
> > right?), the domain, and the port (once again, should never have a _).
> It
> > seems as though the parsing code should look for the first _, the last _,
> > and then assume everything in the middle is the domain.
>
> I don't know of any reason why a scheme can't have a _... If you'd
> like to change the parsing code to understand domains with a _ this
> way, I think that would be an improvement.
>
> > Doesn't seem like a top priority, but maybe it's worth filing a low
> priority
> > bug for it anyway. Although they are 2 somewhat distinct use cases and I
> > see the possibility for misuse and bad assumptions, I'm not terribly
> worried
> > about it.
>
> I think HTML 5 has notions of "origin" and "effective script origin"
> (or some such) that separate these two concepts. It might be worth
> syncing up our internal names with the spec to make these concepts
> more accessible to future developers.
Agreed. Most of the new features use the simpler same origin policy which
compares only the protocol, port, and domain. The effective script origin
and the security around cookies are the more complex parts. I believe
there's a fairly clean split between the two parts in the source code. I'll
file a bug tomorrow regarding this opportunity for cleanup.
J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20090602/35902462/attachment.html>
More information about the webkit-dev
mailing list