Re: XDomainRequest Integration with AC

Jonas Sicking wrote:
> 
> Anne van Kesteren wrote:
>> On Fri, 08 Aug 2008 11:38:55 +0200, Jonas Sicking <jonas@sicking.cc> 
>> wrote:
>>> String comparison is not going to be ok either way. The following two 
>>> origins are equivalent:
>>>
>>> http://www.foo.com
>>> http://www.foo.com:80
>>
>> My proposal was to treat those as non-equivalent. Basically, to 
>> require Access-Control-Allow-Origin to have the same value as Origin.
> 
> The downside with doing that is that we can't use the same syntax for 
> Access-Control as for postMessage. (Yes, I'm still intending to get 
> postMessage fixed, haven't had time yet though).
> 
> Not sure how big the value is in that though...

The big worry I have though is if there is any possibility to puny 
encode the same origin in multiple ways (other than with or without 
default port). This could lead to different UAs encoding the same origin 
in different ways, which could lead to interoperability issues if sites 
rather than echoing the 'Origin' header always send out a static value 
for the Access-Control-Allow-Origin header.

In general, I don't think it's a lot of work to require a strict 
same-origin check. All browsers should have such an algorithm 
implemented anyway.

/ Jonas

Received on Friday, 8 August 2008 18:45:39 UTC