[webkit-dev] Security Origins
jorlow at chromium.org
Tue Jun 2 11:05:58 PDT 2009
On Tue, Jun 2, 2009 at 12:45 AM, Jeremy Orlow <jorlow at chromium.org> wrote:
> On Mon, Jun 1, 2009 at 11:30 PM, Adam Barth <abarth at webkit.org> wrote:
>> On Mon, Jun 1, 2009 at 8:29 PM, Jeremy Orlow <jorlow at chromium.org> wrote:
>> > If this is the only issue, the parsing code could work around it. There
>> > 3 parts to the identifier: the protocol (should never have a _ in it,
>> > right?), the domain, and the port (once again, should never have a _).
>> > seems as though the parsing code should look for the first _, the last
>> > and then assume everything in the middle is the domain.
>> I don't know of any reason why a scheme can't have a _... If you'd
>> like to change the parsing code to understand domains with a _ this
>> way, I think that would be an improvement.
>> > Doesn't seem like a top priority, but maybe it's worth filing a low
>> > bug for it anyway. Although they are 2 somewhat distinct use cases and
>> > see the possibility for misuse and bad assumptions, I'm not terribly
>> > about it.
>> I think HTML 5 has notions of "origin" and "effective script origin"
>> (or some such) that separate these two concepts. It might be worth
>> syncing up our internal names with the spec to make these concepts
>> more accessible to future developers.
> Agreed. Most of the new features use the simpler same origin policy which
> compares only the protocol, port, and domain. The effective script origin
> and the security around cookies are the more complex parts. I believe
> there's a fairly clean split between the two parts in the source code. I'll
> file a bug tomorrow regarding this opportunity for cleanup.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-dev