On 6/17/11 12:03 AM, Mykyta Yevstifeyev wrote:
not
clearly compatible with the web security model,
How?
"about:blank" in particular is magic with respect to security on the web
in various ways (e.g. it can end up same-origin with http:// pages). So
I think we do need to specify exactly when this magic security behavior
takes place.
The question is what existing UAs do and what assumptions web authors
make, as well as what assumptions should be safe for them to make.
Note that "not clearly compatible" doesn't mean "not compatible"; it
just means it needs sorting out.
Note that this is also an exception to the general claim that about: is
only used internally. That's not the case for about:blank.
So I think we do need a Standards Track document that pins down how
about:blank works; I will be happy to make whatever changes are needed
to Gecko here to achieve interop assuming that the result has been
vetted in terms of the security implications.
For other about: URIs, I don't know whether Standards Track necessarily
make sense.
and because the
normalization is not defined in the spec.
Normalization is defined in RFC 3986.
Browsers don't actually implement RFC 3986 in practice because it's not
compatible with web content, last I checked.... Pretending like they do
doesn't seem to be productive.
Or is the point that the algorithms to be used are just the ones defined
in 3986 and those are sufficiently ok that browsers do actually use
them? That wasn't clear to me from the current draft.
-Boris
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf