Closed bzbarsky closed 8 years ago
https://github.com/w3c/webappsec-secure-contexts/commit/d2db6fb6045bb1f40c36cd54428cc7193b040af6 addresses this (for this spec) by skipping the check for opaque identifier origins. I'll poke at MIX in a separate patch.
Between these two patches, I think the specs define sane behavior. WDYT?
@mikewest So we're just not referencing MIX now at all?
MIX drops the 'potentially secure origin' definition, as it's confusing and unnecessary, and it turns out that MIX really cares more about URLs and responses than origins.
Perhaps focusing on origins in this spec is equally confusing. Hrm.
Perhaps focusing on origins in this spec is equally confusing. Hrm.
Perhaps, but maybe that can be considered in a separate issue, since I think this one is now resolved.
Do you agree bzbarsky?
@jwatt Agree that this one is resolved, or that origins-vs-URIs should be considered separately?
@bzbarsky Agree that this one is resolved.
Yeah, looks resolved to me.
http://www.w3.org/TR/mixed-content/#potentially-secure-origin assumes origins have a scheme component.
So does https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy step 2 and so forth.
But globally unique identifier values do not have those components. Since those values can end up in this algorithm as far as I can tell, the behavior for them needs to be defined.