Re: XDomainRequest Integration with AC

Anne van Kesteren wrote:
> On Wed, 30 Jul 2008 18:19:20 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> Please note that
>>
>> Access-Control-Allow-Origin: url
>>
>> is also allowed syntax. Where the url must contain only scheme, [host, 
>> and port].
>>
>> So the following syntax is allowed:
>> Access-Control-Allow-Origin: http://example.com
>>
>> It is somewhat unclear if the following syntaxes are allowed:
>>
>> Access-Control-Allow-Origin: http://example.com/
>> Access-Control-Allow-Origin: http://example.com/?
>> Access-Control-Allow-Origin: http://example.com/#
>> Access-Control-Allow-Origin: http://example.com/;
>>
>> I think the first one should be ok, but not the other three.
> 
> I think all of these should be disallowed.
> 
> My plan is to simply require Access-Control-Allow-Origin to hold the 
> ASCII serialization of an origin (see HTML5) and have a literal 
> comparison of that with the value of Origin. This would be quite strict, 
> but should be fine I think.

Opps, sorry, should have commented here instead.

String comparisons are not going to work either way. The following two 
origins are equivalent:

http://example.com:80
http://example.com

I also suspect there are ways of using puny code to encode strict ascii 
host names which would result in a same origin check returning true even 
when string checks wouldn't, I'm less sure about that though.

/ Jonas

Received on Friday, 8 August 2008 09:48:19 UTC