W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: XDomainRequest Integration with AC

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 07 Aug 2008 23:28:48 -0700
Message-ID: <489BE7A0.4030306@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
Cc: Sunava Dutta <sunavad@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>

Anne van Kesteren wrote:
> On Wed, 30 Jul 2008 18:19:20 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> Please note that
>> Access-Control-Allow-Origin: url
>> is also allowed syntax. Where the url must contain only scheme, [host, 
>> and port].
>> So the following syntax is allowed:
>> Access-Control-Allow-Origin: http://example.com
>> It is somewhat unclear if the following syntaxes are allowed:
>> Access-Control-Allow-Origin: http://example.com/
>> Access-Control-Allow-Origin: http://example.com/?
>> Access-Control-Allow-Origin: http://example.com/#
>> Access-Control-Allow-Origin: http://example.com/;
>> I think the first one should be ok, but not the other three.
> I think all of these should be disallowed.
> My plan is to simply require Access-Control-Allow-Origin to hold the 
> ASCII serialization of an origin (see HTML5) and have a literal 
> comparison of that with the value of Origin. This would be quite strict, 
> but should be fine I think.

That is fine, though I'm inclined to think that the trailing slash 
should be allowed in the HTML5 syntax for an origin.

/ Jonas
Received on Friday, 8 August 2008 06:30:22 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC