Anne, as just discussed in IRC, it would be good if section 4.1 in access- control could elaborate a bit more on the motivation behind only permitting a single origin, and on the expected processing. For example, add this to the end of 4.1: > Note that this header's value can be either a wildcard or a > <em>single</em> origin. The intent is not to broadcast a resource's > list of authorized origins to the world, but to instead echo the > value of a cross-site request's <code>Origin</code> header, if that > origin is indeed authorized to cause cross-site requests to the > resource in question. (or something like that) Regards, -- Thomas Roessler, W3C <tlr@w3.org>Received on Wednesday, 4 February 2009 12:32:16 GMT
This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT