- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 20 Oct 2008 15:13:22 +0000 (UTC)
On Tue, 14 Oct 2008, Adam Barth wrote: > > Section 5.3 defines the serialization of an origin that is not a > scheme/host/port triple as the empty string. This serialization (in its > ASCII variation) is used by the Access Control for Cross-Site Requests > spec to serialize an origin to an HTTP header. Using the empty string > to represent these origins asks server operators to distinguish requests > with an empty Origin header from requests without an Origin header. > Server operators will often wish to take drastically different actions > based on these requests, but this difference can be tricky to > distinguish in some languages, such as mod_security and PHP. > > We should change the serialization of these origins to the string > literal "null" as they were serialized in a previous draft of the Access > Control spec. This would have the effect of changing the origin > property of message events generated by postMessage(), but this change > is unlikely to break users of that API as the empty string case is quite > unusual. Done. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 20 October 2008 08:13:22 UTC