Please note that
Access-Control-Allow-Origin: url
is also allowed syntax. Where the url must contain only scheme, domain
and host.
So the following syntax is allowed:
Access-Control-Allow-Origin: http://example.com
It is somewhat unclear if the following syntaxes are allowed:
Access-Control-Allow-Origin: http://example.com/
Access-Control-Allow-Origin: http://example.com/?
Access-Control-Allow-Origin: http://example.com/#
Access-Control-Allow-Origin: http://example.com/;
I think the first one should be ok, but not the other three.
/ Jonas
Sunava Dutta wrote:
Access-Control-Allow-Origin: * seems to be the consensus for the public
scenario, please confirm.
On a less urgent note did we get any further traction on the discussion on
angle brackets for the URL specified scenario? The last mail here seems to be
on 7/21.
-----Original Message-----
From: Maciej Stachowiak [mailto:[EMAIL PROTECTED]
Sent: Saturday, July 19, 2008 9:32 PM
To: Jonas Sicking
Cc: Sunava Dutta; [EMAIL PROTECTED]; Sharath Udupa; Zhenbin Xu; Gideon
Cohn; public-webapps@w3.org; IE8 Core AJAX SWAT Team
Subject: Re: XDomainRequest Integration with AC
On Jul 18, 2008, at 11:15 PM, Jonas Sicking wrote:
Maciej Stachowiak wrote:
On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
I'm in time pressure to lock down the header names for Beta 2 to
integrate XDR with AC. It seems no body has objected to Jonas's
proposal. http://lists.w3.org/Archives/Public/public-
webapps/2008JulSep/0175.html
Please let me know if this discussion is closed so we can make the
change.
I think Anne's email represents the most recent agreement and I
don't think anyone has objected:
http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
The change would be: Instead of checking for
"XDomainRequestAllowed: 1" check for "Access-Control-Allow-Origin:
*" or "Access-Control-Allow-Origin: url" where url matches what was
sent in the Origin header.
So I have one final request for a change to the above syntax.
How would people feel about the syntax
Access-Control-Allow-Origin: <url>
I don't think the angle brackets are necessary for forward compat,
since we can just disallow spaces from the URL.
- Maciej
This would give us at least something for a forwards compatibility
story if we wanted to add to the syntax in future versions of the
spec. I really think we are being overly optimistic if we think that
the current syntax is the be-all end-all syntax that we'll ever want.
For example during the meeting we talked about that banks might want
to enforce that the requesting site uses a certain level of
encryption, or even a certain certificate. A syntax for that might
be:
Access-Control-Allow-Origin: origin <https://foo.com> encryption sha1
Or that the site in question uses some opt-in XSS mitigation
technology (such as the one drafted by Brandon Sterns in a previous
thread in this WG). This could be done as
Access-Control-Allow-Origin: origin <https://foo.com> require-xss-
protection
So the formal syntax would be
"Access-Control-Allow-Origin:" "<" ("*" | url) ">"
/ Jonas
/ Jonas