- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 20 Oct 2008 15:18:34 +0000 (UTC)
- To: Adam Barth <w3c@adambarth.com>
- Cc: WebApps WG <public-webapps@w3.org>
On Wed, 8 Oct 2008, Adam Barth wrote: > > In some cases, XHR+AC will send an Origin header whose value is the > empty string. This asks server operators to distinguish between a > request that lacks an Origin header (like a same-site request) and a > request with an empty Origin header (say from a data URL), which might > be tricky in various languages like mod_security. Also, some proxies > might normalize empty headers away if they represent the non-existence > of a header with the empty string (as, for example, XMLHttpRequest > does). > > A previous version of the spec sent the literal string "null" in these > cases. It seems like this behavior is preferable. If we want to have > the same behavior as postMessage, we might be able to change its origin > property to use the string "null" in these cases too. HTML5 has now changed to do this, which I believe automatically fixes XHR+AC for you. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 20 October 2008 15:19:11 UTC