| 14:38 | <Karl> | I have a question about origins - can somebody tell me if I'm completely misunderstanding them? Right now there are 2 kinds of origins: tuples and opaque, and opaque origins have this weird property where every time you calculate them, you get a "new" opaque origin which doesn't compare as same-origin with any previously-calculated opaque origin. The HTML spec uses them really carefully and calculates them at specific times to walk this tightrope, URL libraries use things like global atomic counters or UUIDs, etc. This whole "calculation is creation" setup is quite fragile and can lead to brittle code. |
| 14:40 | <Karl> | So... as I've been reading about them, I've been thinking: it seems that there are really 3 kinds of origins - tuple (security domain defined by protocol + host + port), application-defined opaque (security domain defined some other way, for a specific operation or frame or other context), and undefined opaque (totally unknown security domain). Would that be an accurate way to model them? |
| 14:45 | <Karl> | The URL standard says that the origin of "file:" URLs is "an exercise for the reader". IIRC, there was some disagreement because Chrome defines an origin for "file:" URLs and doesn't (or didn't) want to change that. Would that be an example of an application-defined opaque origin? In other words, Chrome has some other information which allows it to assign a security domain for certain file operations? |