W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [CORS] Multiple origin values?

From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Date: Mon, 27 Sep 2010 16:02:22 +0300
Message-ID: <AANLkTinV1yY_MPFfzsUHDvKyDtL-gDQ_GSWcH8tJyQAc@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: public-webapps <public-webapps@w3.org>
>> Multiple origin URLs in "Origin" and "Access-Control-Allow-Origin"
>> must be space-separated, correct?
>
> Yes.
>
>
>> I'd like to double-check this as the Mozilla docs says
>> comma-separated, and they seem to be in error:
>>
>> https://developer.mozilla.org/En/HTTP_access_control#section_3
>>
>> "...The Access-Control-Allow-Origin header should contain a comma
>> separated list of acceptable domains..."
>
> This seems entirely incorrect as the Access-Control-Allow-Origin must match
> the Origin header exactly, octet for octet.

Thanks, Anne. I suspect they got confused by the other CORS headers
that are comma separated. I also nearly fell into this trap, but thank
god, the draft-abarth-origin-07 was still fresh in my head. I suppose
it might be helpful to add an example with multiple origin URLs at the
bottom to minimise the risk of misunderstanding.

Also, it could somewhat help if the contents of sections 5.1.2 and
5.2.2 were made identical.

-- 
Vladimir Dzhuvinov :: software.dzhuvinov.com
Received on Monday, 27 September 2010 13:02:59 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT