- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 14 Dec 2009 02:03:27 -0800
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Scott Parkerson <scott.parkerson@gmail.com>, public-webapps@w3.org
On Fri, Dec 11, 2009 at 1:26 AM, Anne van Kesteren <annevk@opera.com> wrote: > On Thu, 10 Dec 2009 23:04:37 +0100, Scott Parkerson > <scott.parkerson@gmail.com> wrote: >> >> I discovered today that Origin handling for CORS is a bit odd on >> Firefox with respect to requests made from webpages that are loaded >> locally (e.g. loaded from the "file://" access scheme). In this case, >> CORS preflight requests and simple cross-origin requests are sent with >> a "null" (String) value for Origin. Initially, I thought this was a >> bug and filed it with Mozilla[1]. Jonas pointed out (rightfully) that >> I need to do a better job reading the spec and that a "null" string >> value is perfectly acceptable. >> >> However, I noticed that Firefox would fail to issue the follow on >> request after a successful pre-flight request IFF the server returned >> the "null" string for Access-Control-Allow-Origin, even though that's >> what the user agent originally sent. I added this finding onto the >> same bug (see also). Jonas responded that it appears that the CORS >> spec had changed since that was implemented in Firefox, and that he >> believes the spec may be incorrect. I was able to verify that Firefox >> behaves properly only if the server sends "*" for >> Access-Control-Allow-Origin. >> >> I dug a bit through the archives but I couldn't find the rationale for >> the change to the CORS spec. I did notice that the change occurred >> *after* the spec dated 14 Feb 2008[2], or at least the notion that >> "null" matches nothing disappeared after that time, and that the >> current spec[3] explicitly states in section 6.2 that the Resource >> Sharing Check algorithm "...also functions when the ASCII >> serialization of an origin is the string 'null'." >> >> --sgp >> cf. smerpology.org >> >> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=533987 >> [2] http://www.w3.org/TR/2008/WD-access-control-20080214 >> [3] http://www.w3.org/TR/2009/WD-cors-20090317/ > > FWIW, I always intended it to be like this. If the specification ever said > otherwise that would be an oversight. The February 2008 draft is not really > comparable with what Firefox implemented by the way. The general idea > remained the same, but the syntax and specifics changed a lot. My recollection from the meeting in seattle was that we did not want to allow this. In any case, it does seem like a very strange feature to me. Sending Access-Control-Allow-Origin: null would then mean essentially, "allow access to everyone who I don't know who it is". I can't think of a situation where this makes sense. / Jonas
Received on Monday, 14 December 2009 10:04:28 UTC