W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [AC/CORS] Proper behavior for user agents who return 'null' Access-Control-Allow-Origin

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 14 Dec 2009 02:03:27 -0800
Message-ID: <63df84f0912140203t1b033cav1db67d42713909b@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Scott Parkerson <scott.parkerson@gmail.com>, public-webapps@w3.org
On Fri, Dec 11, 2009 at 1:26 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Thu, 10 Dec 2009 23:04:37 +0100, Scott Parkerson
> <scott.parkerson@gmail.com> wrote:
>>
>> I discovered today that Origin handling for CORS is a bit odd on
>> Firefox with respect to requests made from webpages that are loaded
>> locally (e.g. loaded from the  "file://" access scheme). In this case,
>> CORS preflight requests and simple cross-origin requests are sent with
>> a "null" (String) value for Origin. Initially, I thought this was a
>> bug and filed it with Mozilla[1]. Jonas pointed out (rightfully) that
>> I need to do a better job reading the spec and that a "null" string
>> value is perfectly acceptable.
>>
>> However, I noticed that Firefox would fail to issue the follow on
>> request after a successful pre-flight request IFF the server returned
>> the "null" string for Access-Control-Allow-Origin, even though that's
>> what the user agent originally sent. I added this finding onto the
>> same bug (see also). Jonas responded that it appears that the CORS
>> spec had changed since that was implemented in Firefox, and that he
>> believes the spec may be incorrect. I was able to verify that Firefox
>> behaves properly only if the server sends "*" for
>> Access-Control-Allow-Origin.
>>
>> I dug a bit through the archives but I couldn't find the rationale for
>> the change to the CORS spec. I did notice that the change occurred
>> *after* the spec dated 14 Feb 2008[2], or at least the notion that
>> "null" matches nothing disappeared after that time, and that the
>> current spec[3] explicitly states in section 6.2 that the Resource
>> Sharing Check algorithm "...also functions when the ASCII
>> serialization of an origin is the string 'null'."
>>
>> --sgp
>> cf. smerpology.org
>>
>> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=533987
>> [2] http://www.w3.org/TR/2008/WD-access-control-20080214
>> [3] http://www.w3.org/TR/2009/WD-cors-20090317/
>
> FWIW, I always intended it to be like this. If the specification ever said
> otherwise that would be an oversight. The February 2008 draft is not really
> comparable with what Firefox implemented by the way. The general idea
> remained the same, but the syntax and specifics changed a lot.

My recollection from the meeting in seattle was that we did not want
to allow this.

In any case, it does seem like a very strange feature to me. Sending

Access-Control-Allow-Origin: null

would then mean essentially, "allow access to everyone who I don't
know who it is". I can't think of a situation where this makes sense.

/ Jonas
Received on Monday, 14 December 2009 10:04:28 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT