- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 8 Oct 2008 18:05:20 -0700
- To: "WebApps WG" <public-webapps@w3.org>
In some cases, XHR+AC will send an Origin header whose value is the empty string. This asks server operators to distinguish between a request that lacks an Origin header (like a same-site request) and a request with an empty Origin header (say from a data URL), which might be tricky in various languages like mod_security. Also, some proxies might normalize empty headers away if they represent the non-existence of a header with the empty string (as, for example, XMLHttpRequest does). A previous version of the spec sent the literal string "null" in these cases. It seems like this behavior is preferable. If we want to have the same behavior as postMessage, we might be able to change its origin property to use the string "null" in these cases too. Adam
Received on Thursday, 9 October 2008 01:05:55 UTC