- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 24 Sep 2009 18:00:27 +0200
- To: "Adam Barth" <w3c@adambarth.com>
- Cc: "Collin Jackson" <collin@collinjackson.com>, "Mark Nottingham" <mnot@mnot.net>, "Ian Hickson" <ian@hixie.ch>, "HTTP Working Group" <ietf-http-wg@w3.org>, public-webapps@w3.org, "Tyler Close" <tyler.close@gmail.com>
I have now specified the approach we discussed: http://dev.w3.org/2006/waf/access-control/ For simple requests redirects are followed. For other cross-origin requests they are the equivalent of a network error. The Origin header is a U+0020-separated list of origins. Each time a redirect takes place an origin is added to the origin chain if it is not the same as the last origin that was added. The Access-Control-Allow-Origin header needs to be identical to the value of the Origin header, octet-for-octet. Let me know if I missed anything or if the draft is unclear. On Thu, 24 Sep 2009 13:17:09 +0200, Anne van Kesteren <annevk@opera.com> wrote: > That would also allow multiple headers to be used I think. Since > Access-Control-Allow-Origin needs to have an identical value to the > Origin header I do not think that would work well. Well, it would > probably work, but would make all the processing a lot more complicated > than it needs to be. (I'd prefer it to just be a simple string > comparison.) > > >>> What order would be best there? >> >> I think the simplest thing is to list the origins in the order in >> which the user agent encounters them (with adjacent duplicates >> removed). > > That sounds reasonable. -- Anne van Kesteren http://annevankesteren.nl/
Received on Thursday, 24 September 2009 16:01:18 UTC