W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: XDomainRequest Integration with AC

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 05 Sep 2008 00:43:29 -0700
Message-ID: <48C0E321.7010808@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
CC: Julian Reschke <julian.reschke@gmx.de>, Sunava Dutta <sunavad@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>

Anne van Kesteren wrote:
> 
> On Fri, 08 Aug 2008 20:44:04 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> The big worry I have though is if there is any possibility to puny 
>> encode the same origin in multiple ways (other than with or without 
>> default port). This could lead to different UAs encoding the same 
>> origin in different ways, which could lead to interoperability issues 
>> if sites rather than echoing the 'Origin' header always send out a 
>> static value for the Access-Control-Allow-Origin header.
> 
> Is that possible? I don't think it is. Domain names follow a strict set 
> of normalization rules. (That would also mean the Origin header could 
> contain different values depending on the implementation, which is not 
> the case.)

The only thing that i _know_ of is that:

http://foo.com
and
http://foo.com:80

are the same origin but have different string representations. I have 
also heard that some UAs are able to handle non-ascii characters in 
header values by somehow specifying an encoding. I don't really know how 
that works, but for those UAs the following to origins would be equivalent:

http://www.xn--jrnspikar-v2a.com
and
http://www.järnspikar.com

/ Jonas
Received on Friday, 5 September 2008 07:45:18 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT