W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [AC/CORS] Proper behavior for user agents who return 'null' Access-Control-Allow-Origin

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 15 Dec 2009 13:10:48 +0100
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "Scott Parkerson" <scott.parkerson@gmail.com>, public-webapps@w3.org
Message-ID: <op.u4zasahi64w2qv@anne-van-kesterens-macbook.local>
On Mon, 14 Dec 2009 11:03:27 +0100, Jonas Sicking <jonas@sicking.cc> wrote:
> My recollection from the meeting in seattle was that we did not want
> to allow this.
> In any case, it does seem like a very strange feature to me. Sending
> Access-Control-Allow-Origin: null
> would then mean essentially, "allow access to everyone who I don't
> know who it is". I can't think of a situation where this makes sense.

The use case we discussed was allowing e.g. personalized search results  
even from things that do not have an origin. (You cannot do that with *  
because we explicit disallowed credentials there.)

Anne van Kesteren
Received on Tuesday, 15 December 2009 12:11:32 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:21 UTC