W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [access-control] "Origin: null" versus "Origin: "

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 09 Oct 2008 09:54:26 +0200
To: "Adam Barth" <w3c@adambarth.com>, "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.uiqyw0js64w2qv@annevk-t60.oslo.opera.com>

On Thu, 09 Oct 2008 03:05:20 +0200, Adam Barth <w3c@adambarth.com> wrote:
> In some cases, XHR+AC will send an Origin header whose value is the
> empty string.  This asks server operators to distinguish between a
> request that lacks an Origin header (like a same-site request) and a
> request with an empty Origin header (say from a data URL), which might
> be tricky in various languages like mod_security.  Also, some proxies
> might normalize empty headers away if they represent the non-existence
> of a header with the empty string (as, for example, XMLHttpRequest
> does).

Actually, XMLHttpRequest distinguishes between the two. (Empty string  
versus null, though not all browsers have implemented that feature yet.)

> A previous version of the spec sent the literal string "null" in these
> cases.  It seems like this behavior is preferable.  If we want to have
> the same behavior as postMessage, we might be able to change its
> origin property to use the string "null" in these cases too.

If HTML5 were to change Access Control would also automatically change.  
However, browsers are already deploying this. Then again, I haven't  
actually tested if any browser does Origin correctly yet.

Anne van Kesteren
Received on Thursday, 9 October 2008 07:55:09 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:12 UTC