- From: Adam Barth <whatwg@adambarth.com>
- Date: Tue, 14 Oct 2008 01:05:06 -0700
Section 5.3 defines the serialization of an origin that is not a scheme/host/port triple as the empty string. This serialization (in its ASCII variation) is used by the Access Control for Cross-Site Requests spec to serialize an origin to an HTTP header. Using the empty string to represent these origins asks server operators to distinguish requests with an empty Origin header from requests without an Origin header. Server operators will often wish to take drastically different actions based on these requests, but this difference can be tricky to distinguish in some languages, such as mod_security and PHP. We should change the serialization of these origins to the string literal "null" as they were serialized in a previous draft of the Access Control spec. This would have the effect of changing the origin property of message events generated by postMessage(), but this change is unlikely to break users of that API as the empty string case is quite unusual. Adam
Received on Tuesday, 14 October 2008 01:05:06 UTC