W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: XDomainRequest Integration with AC

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 18 Jul 2008 18:58:08 -0700
Message-ID: <48814A30.8000309@sicking.cc>
To: Maciej Stachowiak <mjs@apple.com>
CC: Sunava Dutta <sunavad@windows.microsoft.com>, "annevk@opera.com" <annevk@opera.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>

Maciej Stachowiak wrote:
> On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
>> Iím in time pressure to lock down the header names for Beta 2 to 
>> integrate XDR with AC. It seems no body has objected to Jonasís 
>> proposal. http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
>> Please let me know if this discussion is closed so we can make the change.
> I think Anne's email represents the most recent agreement and I don't 
> think anyone has 
> objected: http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
> The change would be: 
> Instead of checking for "XDomainRequestAllowed: 1" check for 
> "Access-Control-Allow-Origin: *" or "Access-Control-Allow-Origin: url" 
> where url matches what was sent in the Origin header.

'url' is parsed as an absolute URL using the internal parser used for 
normal URL parsing, but if the resulting URL contains anything other 
than scheme, domain and port then access should be denied. I.e. if the 
url contains a path, a query string a fragment or similar, the header is 
considered invalid and MUST be ignored.

/ Jonas
Received on Saturday, 19 July 2008 01:59:41 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC