Maciej Stachowiak wrote:
On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
I’m in time pressure to lock down the header names for Beta 2 to
integrate XDR with AC. It seems no body has objected to Jonas’s
proposal. http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
Please let me know if this discussion is closed so we can make the change.
I think Anne's email represents the most recent agreement and I don't
think anyone has
objected: http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
The change would be:
Instead of checking for "XDomainRequestAllowed: 1" check for
"Access-Control-Allow-Origin: *" or "Access-Control-Allow-Origin: url"
where url matches what was sent in the Origin header.
'url' is parsed as an absolute URL using the internal parser used for
normal URL parsing, but if the resulting URL contains anything other
than scheme, domain and port then access should be denied. I.e. if the
url contains a path, a query string a fragment or similar, the header is
considered invalid and MUST be ignored.
/ Jonas
