This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Specification: http://dev.w3.org/html5/spec/Overview.html Multipage: http://www.whatwg.org/C#top Complete: http://www.whatwg.org/c#top Comment: Section 5.3 Origin. "Two origins are said to be the same origin if the following algorithm returns true: [...] If A and B have port components that are not identical, return false." IE8 and IE9 do not conform to this. Per http://msdn.microsoft.com/en-us/library/ms537505.aspx : "In Internet Explorer 8 and later, that restriction has been removed. Internet Explorer does not consider the port to be a part of the Security Identifier (origin) used for Same Origin Policy enforcement." If the outlined algorithm becomes the standard that developers code by, then it is crucial that all browsers follow this algorithm otherwise serious security problems could arise. If the outlined algorithm is the way forward, please put pressure on Microsoft to patch IE8 and beyond to conform. Posted from: 66.188.21.138 User agent: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.8.131 Version/11.11
Not sure how we're supposed to pressure Microsoft here, if we want to keep the current rules. What's the rationale for making different ports different origins, though? Typically they'd be controlled by the same party just as much as any two things on the same domain.
mass-moved component to LC1
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Rejected Change Description: no spec change Rationale: Different ports on a shared host can be under the control of different users. In fact this basically gives anyone who can get a user account on a machine essentially XSS access to everything hosted on port 80, which seems quite dangerous. In any case, the IE document seems to only apply to XHR, and seems rather limited even in that context (indeed the document seems to contradict itself on the matter).