- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 4 Feb 2009 13:32:05 +0100
- To: Anne van Kesteren <annevk@opera.com>
- Cc: WebApps WG <public-webapps@w3.org>
Anne, as just discussed in IRC, it would be good if section 4.1 in access- control could elaborate a bit more on the motivation behind only permitting a single origin, and on the expected processing. For example, add this to the end of 4.1: > Note that this header's value can be either a wildcard or a > <em>single</em> origin. The intent is not to broadcast a resource's > list of authorized origins to the world, but to instead echo the > value of a cross-site request's <code>Origin</code> header, if that > origin is indeed authorized to cause cross-site requests to the > resource in question. (or something like that) Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 4 February 2009 12:32:16 UTC