On Thu, 09 Oct 2008 03:05:20 +0200, Adam Barth <w3c@adambarth.com> wrote: > In some cases, XHR+AC will send an Origin header whose value is the > empty string. This asks server operators to distinguish between a > request that lacks an Origin header (like a same-site request) and a > request with an empty Origin header (say from a data URL), which might > be tricky in various languages like mod_security. Also, some proxies > might normalize empty headers away if they represent the non-existence > of a header with the empty string (as, for example, XMLHttpRequest > does). Actually, XMLHttpRequest distinguishes between the two. (Empty string versus null, though not all browsers have implemented that feature yet.) > A previous version of the spec sent the literal string "null" in these > cases. It seems like this behavior is preferable. If we want to have > the same behavior as postMessage, we might be able to change its > origin property to use the string "null" in these cases too. If HTML5 were to change Access Control would also automatically change. However, browsers are already deploying this. Then again, I haven't actually tested if any browser does Origin correctly yet. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>Received on Thursday, 9 October 2008 07:55:09 GMT
This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT