- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 18 Jul 2008 18:58:08 -0700
- To: Maciej Stachowiak <mjs@apple.com>
- CC: Sunava Dutta <sunavad@windows.microsoft.com>, "annevk@opera.com" <annevk@opera.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Maciej Stachowiak wrote: > > On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote: > >> I’m in time pressure to lock down the header names for Beta 2 to >> integrate XDR with AC. It seems no body has objected to Jonas’s >> proposal. http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html >> Please let me know if this discussion is closed so we can make the change. > > I think Anne's email represents the most recent agreement and I don't > think anyone has > objected: http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html > > The change would be: > > Instead of checking for "XDomainRequestAllowed: 1" check for > "Access-Control-Allow-Origin: *" or "Access-Control-Allow-Origin: url" > where url matches what was sent in the Origin header. 'url' is parsed as an absolute URL using the internal parser used for normal URL parsing, but if the resulting URL contains anything other than scheme, domain and port then access should be denied. I.e. if the url contains a path, a query string a fragment or similar, the header is considered invalid and MUST be ignored. / Jonas
Received on Saturday, 19 July 2008 01:59:41 UTC