Explain intended use of Access-Control-Origin?

Anne,

as just discussed in IRC, it would be good if section 4.1 in access- 
control could elaborate a bit more on the motivation behind only  
permitting a single origin, and on the expected processing.

For example, add this to the end of 4.1:

> Note that this header's value can be either a wildcard or a  
> <em>single</em> origin.  The intent is not to broadcast a resource's  
> list of authorized origins to the world, but to instead echo the  
> value of a cross-site request's <code>Origin</code> header, if that  
> origin is indeed authorized to cause cross-site requests to the  
> resource in question.

(or something like that)

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Wednesday, 4 February 2009 12:32:16 UTC