Re: [AC/CORS] Proper behavior for user agents who return 'null' Access-Control-Allow-Origin from Anne van Kesteren on 2009-12-11 (public-webapps@w3.org from October to December 2009)

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 11 Dec 2009 10:26:53 +0100
To: "Scott Parkerson" <scott.parkerson@gmail.com>, public-webapps@w3.org
Message-ID: <op.u4roi3bq64w2qv@anne-van-kesterens-macbook.local>

On Thu, 10 Dec 2009 23:04:37 +0100, Scott Parkerson  
<scott.parkerson@gmail.com> wrote:
> I discovered today that Origin handling for CORS is a bit odd on
> Firefox with respect to requests made from webpages that are loaded
> locally (e.g. loaded from the  "file://" access scheme). In this case,
> CORS preflight requests and simple cross-origin requests are sent with
> a "null" (String) value for Origin. Initially, I thought this was a
> bug and filed it with Mozilla[1]. Jonas pointed out (rightfully) that
> I need to do a better job reading the spec and that a "null" string
> value is perfectly acceptable.
>
> However, I noticed that Firefox would fail to issue the follow on
> request after a successful pre-flight request IFF the server returned
> the "null" string for Access-Control-Allow-Origin, even though that's
> what the user agent originally sent. I added this finding onto the
> same bug (see also). Jonas responded that it appears that the CORS
> spec had changed since that was implemented in Firefox, and that he
> believes the spec may be incorrect. I was able to verify that Firefox
> behaves properly only if the server sends "*" for
> Access-Control-Allow-Origin.
>
> I dug a bit through the archives but I couldn't find the rationale for
> the change to the CORS spec. I did notice that the change occurred
> *after* the spec dated 14 Feb 2008[2], or at least the notion that
> "null" matches nothing disappeared after that time, and that the
> current spec[3] explicitly states in section 6.2 that the Resource
> Sharing Check algorithm "...also functions when the ASCII
> serialization of an origin is the string 'null'."
>
> --sgp
> cf. smerpology.org
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=533987
> [2] http://www.w3.org/TR/2008/WD-access-control-20080214
> [3] http://www.w3.org/TR/2009/WD-cors-20090317/

FWIW, I always intended it to be like this. If the specification ever said  
otherwise that would be an oversight. The February 2008 draft is not  
really comparable with what Firefox implemented by the way. The general  
idea remained the same, but the syntax and specifics changed a lot.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Friday, 11 December 2009 09:27:29 UTC