- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 08 Aug 2008 00:27:17 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>, "Sunava Dutta" <sunavad@windows.microsoft.com>
- Cc: "Maciej Stachowiak" <mjs@apple.com>, "Sharath Udupa" <Sharath.Udupa@microsoft.com>, "Zhenbin Xu" <Zhenbin.Xu@microsoft.com>, "Gideon Cohn" <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, "IE8 Core AJAX SWAT Team" <ieajax@microsoft.com>
On Wed, 30 Jul 2008 18:19:20 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > Please note that > > Access-Control-Allow-Origin: url > > is also allowed syntax. Where the url must contain only scheme, [host, > and port]. > > So the following syntax is allowed: > Access-Control-Allow-Origin: http://example.com > > It is somewhat unclear if the following syntaxes are allowed: > > Access-Control-Allow-Origin: http://example.com/ > Access-Control-Allow-Origin: http://example.com/? > Access-Control-Allow-Origin: http://example.com/# > Access-Control-Allow-Origin: http://example.com/; > > I think the first one should be ok, but not the other three. I think all of these should be disallowed. My plan is to simply require Access-Control-Allow-Origin to hold the ASCII serialization of an origin (see HTML5) and have a literal comparison of that with the value of Origin. This would be quite strict, but should be fine I think. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 7 August 2008 22:28:05 UTC