[AC/CORS] Proper behavior for user agents who return 'null' Access-Control-Allow-Origin

I discovered today that Origin handling for CORS is a bit odd on
Firefox with respect to requests made from webpages that are loaded
locally (e.g. loaded from the  "file://" access scheme). In this case,
CORS preflight requests and simple cross-origin requests are sent with
a "null" (String) value for Origin. Initially, I thought this was a
bug and filed it with Mozilla[1]. Jonas pointed out (rightfully) that
I need to do a better job reading the spec and that a "null" string
value is perfectly acceptable.

However, I noticed that Firefox would fail to issue the follow on
request after a successful pre-flight request IFF the server returned
the "null" string for Access-Control-Allow-Origin, even though that's
what the user agent originally sent. I added this finding onto the
same bug (see also). Jonas responded that it appears that the CORS
spec had changed since that was implemented in Firefox, and that he
believes the spec may be incorrect. I was able to verify that Firefox
behaves properly only if the server sends "*" for
Access-Control-Allow-Origin.

I dug a bit through the archives but I couldn't find the rationale for
the change to the CORS spec. I did notice that the change occurred
*after* the spec dated 14 Feb 2008[2], or at least the notion that
"null" matches nothing disappeared after that time, and that the
current spec[3] explicitly states in section 6.2 that the Resource
Sharing Check algorithm "...also functions when the ASCII
serialization of an origin is the string 'null'."

--sgp
cf. smerpology.org

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=533987
[2] http://www.w3.org/TR/2008/WD-access-control-20080214
[3] http://www.w3.org/TR/2009/WD-cors-20090317/

Received on Friday, 11 December 2009 09:14:07 UTC