- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 08 Aug 2008 11:44:04 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, Sunava Dutta <sunavad@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Jonas Sicking wrote: > > Anne van Kesteren wrote: >> On Fri, 08 Aug 2008 11:38:55 +0200, Jonas Sicking <jonas@sicking.cc> >> wrote: >>> String comparison is not going to be ok either way. The following two >>> origins are equivalent: >>> >>> http://www.foo.com >>> http://www.foo.com:80 >> >> My proposal was to treat those as non-equivalent. Basically, to >> require Access-Control-Allow-Origin to have the same value as Origin. > > The downside with doing that is that we can't use the same syntax for > Access-Control as for postMessage. (Yes, I'm still intending to get > postMessage fixed, haven't had time yet though). > > Not sure how big the value is in that though... The big worry I have though is if there is any possibility to puny encode the same origin in multiple ways (other than with or without default port). This could lead to different UAs encoding the same origin in different ways, which could lead to interoperability issues if sites rather than echoing the 'Origin' header always send out a static value for the Access-Control-Allow-Origin header. In general, I don't think it's a lot of work to require a strict same-origin check. All browsers should have such an algorithm implemented anyway. / Jonas
Received on Friday, 8 August 2008 18:45:39 UTC