[webkit-dev] Security Origins

Tue Jun 2 11:05:58 PDT 2009

FYI: https://bugs.webkit.org/show_bug.cgi?id=26143

On Tue, Jun 2, 2009 at 12:45 AM, Jeremy Orlow <jorlow at chromium.org> wrote:

> On Mon, Jun 1, 2009 at 11:30 PM, Adam Barth <abarth at webkit.org> wrote:
>
>> On Mon, Jun 1, 2009 at 8:29 PM, Jeremy Orlow <jorlow at chromium.org> wrote:
>> > If this is the only issue, the parsing code could work around it.  There
>> are
>> > 3 parts to the identifier: the protocol (should never have a _ in it,
>> > right?), the domain, and the port (once again, should never have a _).
>>  It
>> > seems as though the parsing code should look for the first _, the last
>> _,
>> > and then assume everything in the middle is the domain.
>>
>> I don't know of any reason why a scheme can't have a _...  If you'd
>> like to change the parsing code to understand domains with a _ this
>> way,  I think that would be an improvement.
>>
>> > Doesn't seem like a top priority, but maybe it's worth filing a low
>> priority
>> > bug for it anyway.  Although they are 2 somewhat distinct use cases and
>> I
>> > see the possibility for misuse and bad assumptions, I'm not terribly
>> worried
>> > about it.
>>
>> I think HTML 5 has notions of "origin" and "effective script origin"
>> (or some such) that separate these two concepts.  It might be worth
>> syncing up our internal names with the spec to make these concepts
>> more accessible to future developers.
>
>
> Agreed.  Most of the new features use the simpler same origin policy which
> compares only the protocol, port, and domain.  The effective script origin
>  and the security around cookies are the more complex parts.  I believe
> there's a fairly clean split between the two parts in the source code.  I'll
> file a bug tomorrow regarding this opportunity for cleanup.
>
> J
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20090602/62852206/attachment.html>