- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 07 Aug 2008 23:28:48 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Sunava Dutta <sunavad@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Anne van Kesteren wrote: > On Wed, 30 Jul 2008 18:19:20 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> Please note that >> >> Access-Control-Allow-Origin: url >> >> is also allowed syntax. Where the url must contain only scheme, [host, >> and port]. >> >> So the following syntax is allowed: >> Access-Control-Allow-Origin: http://example.com >> >> It is somewhat unclear if the following syntaxes are allowed: >> >> Access-Control-Allow-Origin: http://example.com/ >> Access-Control-Allow-Origin: http://example.com/? >> Access-Control-Allow-Origin: http://example.com/# >> Access-Control-Allow-Origin: http://example.com/; >> >> I think the first one should be ok, but not the other three. > > I think all of these should be disallowed. > > My plan is to simply require Access-Control-Allow-Origin to hold the > ASCII serialization of an origin (see HTML5) and have a literal > comparison of that with the value of Origin. This would be quite strict, > but should be fine I think. That is fine, though I'm inclined to think that the trailing slash should be allowed in the HTML5 syntax for an origin. / Jonas
Received on Friday, 8 August 2008 06:30:22 UTC