- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 08 Aug 2008 08:42:10 +0200
- To: Anne van Kesteren <annevk@opera.com>
- CC: Jonas Sicking <jonas@sicking.cc>, Sunava Dutta <sunavad@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Anne van Kesteren wrote: > > On Wed, 30 Jul 2008 18:19:20 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> Please note that >> >> Access-Control-Allow-Origin: url >> >> is also allowed syntax. Where the url must contain only scheme, [host, >> and port]. >> >> So the following syntax is allowed: >> Access-Control-Allow-Origin: http://example.com >> >> It is somewhat unclear if the following syntaxes are allowed: >> >> Access-Control-Allow-Origin: http://example.com/ >> Access-Control-Allow-Origin: http://example.com/? >> Access-Control-Allow-Origin: http://example.com/# >> Access-Control-Allow-Origin: http://example.com/; >> >> I think the first one should be ok, but not the other three. > > I think all of these should be disallowed. > > My plan is to simply require Access-Control-Allow-Origin to hold the > ASCII serialization of an origin (see HTML5) and have a literal > comparison of that with the value of Origin. This would be quite strict, > but should be fine I think. Is there a compelling reason not to define this in terms of RFC3986 and RFC3987? Best regards, Julian
Received on Friday, 8 August 2008 06:43:01 UTC