W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [AC/CORS] Proper behavior for user agents who return 'null' Access-Control-Allow-Origin

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 15 Dec 2009 14:37:32 -0800
Message-ID: <63df84f0912151437h8e553b0xf7ae127d5e2581da@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Scott Parkerson <scott.parkerson@gmail.com>, public-webapps@w3.org
On Tue, Dec 15, 2009 at 4:10 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Mon, 14 Dec 2009 11:03:27 +0100, Jonas Sicking <jonas@sicking.cc> wrote:
>>
>> My recollection from the meeting in seattle was that we did not want
>> to allow this.
>>
>> In any case, it does seem like a very strange feature to me. Sending
>>
>> Access-Control-Allow-Origin: null
>>
>> would then mean essentially, "allow access to everyone who I don't
>> know who it is". I can't think of a situation where this makes sense.
>
> The use case we discussed was allowing e.g. personalized search results even
> from things that do not have an origin. (You cannot do that with * because
> we explicit disallowed credentials there.)

Hmm.. ok, i guess i buy that.

/ Jonas
Received on Tuesday, 15 December 2009 22:38:32 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT