W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2008

[whatwg] WebSocket websocket-origin

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 06 Oct 2008 14:02:00 +0200
Message-ID: <op.uilqdmnv64w2qv@annevk-t60.oslo.opera.com>
On Mon, 29 Sep 2008 20:41:23 +0200, Anne van Kesteren <annevk at opera.com>  
> What is the reason for doing literal comparison on the websocket-origin  
> and websocket-location HTTP headers? Access Control for Cross-Site  
> Requests is currently following this design for  
> access-control-allow-origin but sicking is complaining about so maybe it  
> should be URL-without-<path> comparison instead. (E.g., then  
> http://example.org and http://example.org:80 would be equivalent.)

For those not following IRC,  
http://krijnhoetmer.nl/irc-logs/whatwg/20081003#l-5 has more discussion on  
this subject. It seems like literal comparison is what I'll keep doing for  
access-control-allow-origin for now.

(If we decide it should be a same origin check that fails if <path> is  
provided at some later point we can always change it I think as that would  
be a superset of the current algorithm.)

Anne van Kesteren
Received on Monday, 6 October 2008 05:02:00 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:06 UTC