W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: XDomainRequest Integration with AC

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 08 Aug 2008 00:27:17 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "Sunava Dutta" <sunavad@windows.microsoft.com>
Cc: "Maciej Stachowiak" <mjs@apple.com>, "Sharath Udupa" <Sharath.Udupa@microsoft.com>, "Zhenbin Xu" <Zhenbin.Xu@microsoft.com>, "Gideon Cohn" <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, "IE8 Core AJAX SWAT Team" <ieajax@microsoft.com>
Message-ID: <op.ufjfbrjd64w2qv@annevk-t60.oslo.opera.com> 

On Wed, 30 Jul 2008 18:19:20 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> Please note that
>
> Access-Control-Allow-Origin: url
>
> is also allowed syntax. Where the url must contain only scheme, [host,  
> and port].
>
> So the following syntax is allowed:
> Access-Control-Allow-Origin: http://example.com
>
> It is somewhat unclear if the following syntaxes are allowed:
>
> Access-Control-Allow-Origin: http://example.com/
> Access-Control-Allow-Origin: http://example.com/?
> Access-Control-Allow-Origin: http://example.com/#
> Access-Control-Allow-Origin: http://example.com/;
>
> I think the first one should be ok, but not the other three.

I think all of these should be disallowed.

My plan is to simply require Access-Control-Allow-Origin to hold the ASCII  
serialization of an origin (see HTML5) and have a literal comparison of  
that with the value of Origin. This would be quite strict, but should be  
fine I think.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Thursday, 7 August 2008 22:28:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:00 GMT