- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 08 Aug 2008 02:46:45 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Sunava Dutta <sunavad@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Anne van Kesteren wrote: > On Wed, 30 Jul 2008 18:19:20 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> Please note that >> >> Access-Control-Allow-Origin: url >> >> is also allowed syntax. Where the url must contain only scheme, [host, >> and port]. >> >> So the following syntax is allowed: >> Access-Control-Allow-Origin: http://example.com >> >> It is somewhat unclear if the following syntaxes are allowed: >> >> Access-Control-Allow-Origin: http://example.com/ >> Access-Control-Allow-Origin: http://example.com/? >> Access-Control-Allow-Origin: http://example.com/# >> Access-Control-Allow-Origin: http://example.com/; >> >> I think the first one should be ok, but not the other three. > > I think all of these should be disallowed. > > My plan is to simply require Access-Control-Allow-Origin to hold the > ASCII serialization of an origin (see HTML5) and have a literal > comparison of that with the value of Origin. This would be quite strict, > but should be fine I think. Opps, sorry, should have commented here instead. String comparisons are not going to work either way. The following two origins are equivalent: http://example.com:80 http://example.com I also suspect there are ways of using puny code to encode strict ascii host names which would result in a same origin check returning true even when string checks wouldn't, I'm less sure about that though. / Jonas
Received on Friday, 8 August 2008 09:48:19 UTC