Re: XDomainRequest Integration with AC

On Wed, 30 Jul 2008 18:19:20 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> Please note that
>
> Access-Control-Allow-Origin: url
>
> is also allowed syntax. Where the url must contain only scheme, [host,  
> and port].
>
> So the following syntax is allowed:
> Access-Control-Allow-Origin: http://example.com
>
> It is somewhat unclear if the following syntaxes are allowed:
>
> Access-Control-Allow-Origin: http://example.com/
> Access-Control-Allow-Origin: http://example.com/?
> Access-Control-Allow-Origin: http://example.com/#
> Access-Control-Allow-Origin: http://example.com/;
>
> I think the first one should be ok, but not the other three.

I think all of these should be disallowed.

My plan is to simply require Access-Control-Allow-Origin to hold the ASCII  
serialization of an origin (see HTML5) and have a literal comparison of  
that with the value of Origin. This would be quite strict, but should be  
fine I think.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Thursday, 7 August 2008 22:28:05 UTC