8866 – definition of "same-origin policy"

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 8866 - definition of "same-origin policy"

Summary: definition of "same-origin policy"

Status:	RESOLVED FIXED

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	pre-LC1 HTML5 spec (editor: Ian Hickson) (show other bugs)
Version:	unspecified
Hardware:	PC Windows NT

Importance:	P2 normal
Target Milestone:	---
Assignee:	Ian 'Hixie' Hickson
QA Contact:	HTML WG Bugzilla archive list

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-02-02 15:52 UTC by Julian Reschke
Modified:	2010-10-04 13:58 UTC (History)
CC List:	5 users (show)

See Also:

Attachments

Description Julian Reschke 2010-02-02 15:52:39 UTC

<http://dev.w3.org/html5/spec/Overview.html#the-iframe-element> has:

"This flag forces content into a unique origin for the purposes of the same-origin policy."

...where "same-origin policy" just links to the definition of "origin". It would be helpful if there actually was a paragraph that said what the policy is (the information may be there, it's just not obvious how to find it).

Comment 1 Yehuda Katz 2010-02-10 09:23:22 UTC

I think we should define the same-origin policy (even if we just reference the full spec), specifically to improve the verbiage in other parts of the spec where we reference "effective script origin" in an effort to describe the same origin policy.

Comment 2 Ian 'Hixie' Hickson 2010-02-14 11:23:07 UTC

EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Partially Accepted
Change Description: see diff given below
Rationale: I removed that mention of the "same-origin policy", since it really wasn't helping anything, and replaced it with a more helpful brief statement explaining the implications of doing this.

I haven't defined "same-origin policy" anywhere because I really have no idea how to do so. The whole HTML spec plus other specs like CORS, Web Storage, the Web Sockets protocol, etc, together describe the same-origin policy. It's not something that can be summarised in a few paragraphs.

Comment 3 contributor 2010-02-14 11:24:38 UTC

Checked in as WHATWG revision r4736.
Check-in comment: Make this sentence more useful.
http://html5.org/tools/web-apps-tracker?from=4735&to=4736