- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 06 Oct 2008 14:02:00 +0200
On Mon, 29 Sep 2008 20:41:23 +0200, Anne van Kesteren <annevk at opera.com> wrote: > What is the reason for doing literal comparison on the websocket-origin > and websocket-location HTTP headers? Access Control for Cross-Site > Requests is currently following this design for > access-control-allow-origin but sicking is complaining about so maybe it > should be URL-without-<path> comparison instead. (E.g., then > http://example.org and http://example.org:80 would be equivalent.) For those not following IRC, http://krijnhoetmer.nl/irc-logs/whatwg/20081003#l-5 has more discussion on this subject. It seems like literal comparison is what I'll keep doing for access-control-allow-origin for now. (If we decide it should be a same origin check that fails if <path> is provided at some later point we can always change it I think as that would be a superset of the current algorithm.) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 6 October 2008 05:02:00 UTC