- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 09 Oct 2008 09:54:26 +0200
- To: "Adam Barth" <w3c@adambarth.com>, "WebApps WG" <public-webapps@w3.org>
On Thu, 09 Oct 2008 03:05:20 +0200, Adam Barth <w3c@adambarth.com> wrote: > In some cases, XHR+AC will send an Origin header whose value is the > empty string. This asks server operators to distinguish between a > request that lacks an Origin header (like a same-site request) and a > request with an empty Origin header (say from a data URL), which might > be tricky in various languages like mod_security. Also, some proxies > might normalize empty headers away if they represent the non-existence > of a header with the empty string (as, for example, XMLHttpRequest > does). Actually, XMLHttpRequest distinguishes between the two. (Empty string versus null, though not all browsers have implemented that feature yet.) > A previous version of the spec sent the literal string "null" in these > cases. It seems like this behavior is preferable. If we want to have > the same behavior as postMessage, we might be able to change its > origin property to use the string "null" in these cases too. If HTML5 were to change Access Control would also automatically change. However, browsers are already deploying this. Then again, I haven't actually tested if any browser does Origin correctly yet. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 9 October 2008 07:55:09 UTC