W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2008

[whatwg] "null" versus "" in origin serialization

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 20 Oct 2008 15:13:22 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0810201509331.1237@hixie.dreamhostps.com>
On Tue, 14 Oct 2008, Adam Barth wrote:
> Section 5.3 defines the serialization of an origin that is not a 
> scheme/host/port triple as the empty string.  This serialization (in its 
> ASCII variation) is used by the Access Control for Cross-Site Requests 
> spec to serialize an origin to an HTTP header.  Using the empty string 
> to represent these origins asks server operators to distinguish requests 
> with an empty Origin header from requests without an Origin header.  
> Server operators will often wish to take drastically different actions 
> based on these requests, but this difference can be tricky to 
> distinguish in some languages, such as mod_security and PHP.
> We should change the serialization of these origins to the string 
> literal "null" as they were serialized in a previous draft of the Access 
> Control spec.  This would have the effect of changing the origin 
> property of message events generated by postMessage(), but this change 
> is unlikely to break users of that API as the empty string case is quite 
> unusual.


Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 20 October 2008 08:13:22 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:06 UTC