- From: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
- Date: Thu, 04 Aug 2011 14:46:18 +0200
- To: public-webapps@w3.org
On Thu, 2011-08-04 at 00:12 +0200, Anne van Kesteren wrote: > On Wed, 03 Aug 2011 19:43:28 +0200, Philippe De Ryck > <philippe.deryck@cs.kuleuven.be> wrote: > > CORS-ISOLATION-1.Unique Origins: When run in a document with a globally > > unique identifier for an origin, the Origin header specification > > requires that null should be sent as the value of the Origin header. The > > algorithms listed in the CORS specification do not explicitly take the > > null value into account, leading to some unlogical scenarios. It is for > > instance valid that a request sends origin null and the server responds > > with an Allow-Origin header with the value null. > > Is that problematic? This is a feature. If this was intended as a feature, the spec should reflect this more clearly. Additionally, this feature allows the use of null as the basis for access control. How can the server use this to decide whether it should allow access or not? Any origin can cause the origin header to be set to null by loading itself in a sandboxed iframe, essentially reducing null to the same level as the wildcard value (without the server-side information about the source origin). The only difference is that for null, credentials are allowed, but for a wildcard they are not, which again is very confusing, even contradictory. -- Philippe De Ryck K.U.Leuven, Dept. of Computer Science Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Received on Thursday, 4 August 2011 12:47:12 UTC