W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Explain intended use of Access-Control-Origin?

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 4 Feb 2009 13:32:05 +0100
Message-Id: <8A24B40D-1DC3-40B9-9C08-C4D7C48A28A8@w3.org>
To: Anne van Kesteren <annevk@opera.com>
Cc: WebApps WG <public-webapps@w3.org>

Anne,

as just discussed in IRC, it would be good if section 4.1 in access- 
control could elaborate a bit more on the motivation behind only  
permitting a single origin, and on the expected processing.

For example, add this to the end of 4.1:

> Note that this header's value can be either a wildcard or a  
> <em>single</em> origin.  The intent is not to broadcast a resource's  
> list of authorized origins to the world, but to instead echo the  
> value of a cross-site request's <code>Origin</code> header, if that  
> origin is indeed authorized to cause cross-site requests to the  
> resource in question.

(or something like that)

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 4 February 2009 12:32:16 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT