- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 05 Sep 2008 00:43:29 -0700
- To: Anne van Kesteren <annevk@opera.com>
- CC: Julian Reschke <julian.reschke@gmx.de>, Sunava Dutta <sunavad@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Anne van Kesteren wrote: > > On Fri, 08 Aug 2008 20:44:04 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> The big worry I have though is if there is any possibility to puny >> encode the same origin in multiple ways (other than with or without >> default port). This could lead to different UAs encoding the same >> origin in different ways, which could lead to interoperability issues >> if sites rather than echoing the 'Origin' header always send out a >> static value for the Access-Control-Allow-Origin header. > > Is that possible? I don't think it is. Domain names follow a strict set > of normalization rules. (That would also mean the Origin header could > contain different values depending on the implementation, which is not > the case.) The only thing that i _know_ of is that: http://foo.com and http://foo.com:80 are the same origin but have different string representations. I have also heard that some UAs are able to handle non-ascii characters in header values by somehow specifying an encoding. I don't really know how that works, but for those UAs the following to origins would be equivalent: http://www.xn--jrnspikar-v2a.com and http://www.järnspikar.com / Jonas
Received on Friday, 5 September 2008 07:45:18 UTC