- From: Scott Parkerson <scott.parkerson@gmail.com>
- Date: Thu, 10 Dec 2009 17:04:37 -0500
- To: public-webapps@w3.org
I discovered today that Origin handling for CORS is a bit odd on Firefox with respect to requests made from webpages that are loaded locally (e.g. loaded from the "file://" access scheme). In this case, CORS preflight requests and simple cross-origin requests are sent with a "null" (String) value for Origin. Initially, I thought this was a bug and filed it with Mozilla[1]. Jonas pointed out (rightfully) that I need to do a better job reading the spec and that a "null" string value is perfectly acceptable. However, I noticed that Firefox would fail to issue the follow on request after a successful pre-flight request IFF the server returned the "null" string for Access-Control-Allow-Origin, even though that's what the user agent originally sent. I added this finding onto the same bug (see also). Jonas responded that it appears that the CORS spec had changed since that was implemented in Firefox, and that he believes the spec may be incorrect. I was able to verify that Firefox behaves properly only if the server sends "*" for Access-Control-Allow-Origin. I dug a bit through the archives but I couldn't find the rationale for the change to the CORS spec. I did notice that the change occurred *after* the spec dated 14 Feb 2008[2], or at least the notion that "null" matches nothing disappeared after that time, and that the current spec[3] explicitly states in section 6.2 that the Resource Sharing Check algorithm "...also functions when the ASCII serialization of an origin is the string 'null'." --sgp cf. smerpology.org [1] https://bugzilla.mozilla.org/show_bug.cgi?id=533987 [2] http://www.w3.org/TR/2008/WD-access-control-20080214 [3] http://www.w3.org/TR/2009/WD-cors-20090317/
Received on Friday, 11 December 2009 09:14:07 UTC