W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

[AC] "Origin: null" versus "Origin: "

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 8 Oct 2008 18:05:20 -0700
Message-ID: <7789133a0810081805w1ee842d1ie8c36604dd174c4@mail.gmail.com>
To: "WebApps WG" <public-webapps@w3.org>

In some cases, XHR+AC will send an Origin header whose value is the
empty string.  This asks server operators to distinguish between a
request that lacks an Origin header (like a same-site request) and a
request with an empty Origin header (say from a data URL), which might
be tricky in various languages like mod_security.  Also, some proxies
might normalize empty headers away if they represent the non-existence
of a header with the empty string (as, for example, XMLHttpRequest
does).

A previous version of the spec sent the literal string "null" in these
cases.  It seems like this behavior is preferable.  If we want to have
the same behavior as postMessage, we might be able to change its
origin property to use the string "null" in these cases too.

Adam
Received on Thursday, 9 October 2008 01:05:55 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT