W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: XDomainRequest Integration with AC

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 08 Aug 2008 11:44:04 -0700
Message-ID: <489C93F4.5090003@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, Sunava Dutta <sunavad@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>

Jonas Sicking wrote:
> 
> Anne van Kesteren wrote:
>> On Fri, 08 Aug 2008 11:38:55 +0200, Jonas Sicking <jonas@sicking.cc> 
>> wrote:
>>> String comparison is not going to be ok either way. The following two 
>>> origins are equivalent:
>>>
>>> http://www.foo.com
>>> http://www.foo.com:80
>>
>> My proposal was to treat those as non-equivalent. Basically, to 
>> require Access-Control-Allow-Origin to have the same value as Origin.
> 
> The downside with doing that is that we can't use the same syntax for 
> Access-Control as for postMessage. (Yes, I'm still intending to get 
> postMessage fixed, haven't had time yet though).
> 
> Not sure how big the value is in that though...

The big worry I have though is if there is any possibility to puny 
encode the same origin in multiple ways (other than with or without 
default port). This could lead to different UAs encoding the same origin 
in different ways, which could lead to interoperability issues if sites 
rather than echoing the 'Origin' header always send out a static value 
for the Access-Control-Allow-Origin header.

In general, I don't think it's a lot of work to require a strict 
same-origin check. All browsers should have such an algorithm 
implemented anyway.

/ Jonas
Received on Friday, 8 August 2008 18:45:39 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT