Re: [access-control] Access-Control-Allow-Origin: * and ascii-origin in IE8

On Wed, Jan 14, 2009 at 8:00 AM, Adrian Bateman <> wrote:
> I wanted to let the WG members know that we have completed our support for Access-Control in IE8 for the Simple Cross-Site Access Request. We support the Access-Control-Allow-Origin: * wildcard as we did in Beta 2 but in the next public release of IE8, our Release Candidate, we have also added support for the string comparison to the ascii-origin. I want to thank the members of this group who gave us feedback about making this change.

Yay! This is awesome! Thanks a lot for making these changes.

> Making changes to our implementation now will be costly and I'd prefer if this part of the draft didn't have to change significantly. On the subject of renaming the Origin header, we'd prefer the option to keep it as is and have the name for CSRF changed in HTML 5 as Ian raised [1] if possible.

The problem I think is that the current name, 'Origin',  is extremely
generic and so it's likely to cause confusion once we get other
headers containing origins.

That said, I do understand that this is a very late change for you
guys. Developers will code to what works, so as long as things work
the same across browsers, with regards to this and the CSRF protection
header, things should be mostly ok.

What do other people think?

/ Jonas

Received on Wednesday, 14 January 2009 18:54:18 UTC