This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 13072 - IE8/9 treat different ports as same-origin
Summary: IE8/9 treat different ports as same-origin
Status: RESOLVED WONTFIX
Alias: None
Product: HTML WG
Classification: Unclassified
Component: LC1 HTML5 spec (show other bugs)
Version: unspecified
Hardware: All All
: P3 normal
Target Milestone: ---
Assignee: Ian 'Hixie' Hickson
QA Contact: HTML WG Bugzilla archive list
URL: http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-27 17:39 UTC by contributor
Modified: 2011-08-10 01:31 UTC (History)
5 users (show)

See Also:

Attachments

Description contributor 2011-06-27 17:39:38 UTC 
Specification: http://dev.w3.org/html5/spec/Overview.html
Multipage: http://www.whatwg.org/C#top
Complete: http://www.whatwg.org/c#top

Comment:
Section 5.3 Origin.  "Two origins are said to be the same origin if the
following algorithm returns true: [...] If A and B have port components that
are not identical, return false."

IE8 and IE9 do not conform to this.  Per
http://msdn.microsoft.com/en-us/library/ms537505.aspx : "In Internet Explorer
8 and later, that restriction has been removed. Internet Explorer does not
consider the port to be a part of the Security Identifier (origin) used for
Same Origin Policy enforcement."

If the outlined algorithm becomes the standard that developers code by, then
it is crucial that all browsers follow this algorithm otherwise serious
security problems could arise.	If the outlined algorithm is the way forward,
please put pressure on Microsoft to patch IE8 and beyond to conform.

Posted from: 66.188.21.138
User agent: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.8.131 Version/11.11
Comment 1 Aryeh Gregor 2011-06-27 17:52:00 UTC 
Not sure how we're supposed to pressure Microsoft here, if we want to keep the current rules.  What's the rationale for making different ports different origins, though?  Typically they'd be controlled by the same party just as much as any two things on the same domain.
Comment 2 Michael[tm] Smith 2011-08-04 05:02:35 UTC 
mass-moved component to LC1
Comment 3 Ian 'Hixie' Hickson 2011-08-10 01:31:40 UTC 
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Rejected
Change Description: no spec change
Rationale: Different ports on a shared host can be under the control of different users. In fact this basically gives anyone who can get a user account on a machine essentially XSS access to everything hosted on port 80, which seems quite dangerous.

In any case, the IE document seems to only apply to XHR, and seems rather limited even in that context (indeed the document seems to contradict itself on the matter).