W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: XDomainRequest Integration with AC

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 26 Aug 2008 14:38:35 +0200
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "Julian Reschke" <julian.reschke@gmx.de>, "Sunava Dutta" <sunavad@windows.microsoft.com>, "Maciej Stachowiak" <mjs@apple.com>, "Sharath Udupa" <Sharath.Udupa@microsoft.com>, "Zhenbin Xu" <Zhenbin.Xu@microsoft.com>, "Gideon Cohn" <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, "IE8 Core AJAX SWAT Team" <ieajax@microsoft.com>
Message-ID: <op.ughuqlv264w2qv@annevk-t60.oslo.opera.com>

On Fri, 08 Aug 2008 20:44:04 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> The big worry I have though is if there is any possibility to puny  
> encode the same origin in multiple ways (other than with or without  
> default port). This could lead to different UAs encoding the same origin  
> in different ways, which could lead to interoperability issues if sites  
> rather than echoing the 'Origin' header always send out a static value  
> for the Access-Control-Allow-Origin header.

Is that possible? I don't think it is. Domain names follow a strict set of  
normalization rules. (That would also mean the Origin header could contain  
different values depending on the implementation, which is not the case.)

> In general, I don't think it's a lot of work to require a strict  
> same-origin check. All browsers should have such an algorithm  
> implemented anyway.

True, but if we can make things simpler that seems better.

Anne van Kesteren
Received on Tuesday, 26 August 2008 12:39:30 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC