W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [AC] "Origin: null" versus "Origin: "

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 20 Oct 2008 15:18:34 +0000 (UTC)
To: Adam Barth <w3c@adambarth.com>
Cc: WebApps WG <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0810201517180.1237@hixie.dreamhostps.com>

On Wed, 8 Oct 2008, Adam Barth wrote:
> 
> In some cases, XHR+AC will send an Origin header whose value is the 
> empty string.  This asks server operators to distinguish between a 
> request that lacks an Origin header (like a same-site request) and a 
> request with an empty Origin header (say from a data URL), which might 
> be tricky in various languages like mod_security.  Also, some proxies 
> might normalize empty headers away if they represent the non-existence 
> of a header with the empty string (as, for example, XMLHttpRequest 
> does).
> 
> A previous version of the spec sent the literal string "null" in these 
> cases.  It seems like this behavior is preferable.  If we want to have 
> the same behavior as postMessage, we might be able to change its origin 
> property to use the string "null" in these cases too.

HTML5 has now changed to do this, which I believe automatically fixes 
XHR+AC for you.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 20 October 2008 15:19:11 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT