On Wed, 30 Jul 2008 18:19:20 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
Please note that
Access-Control-Allow-Origin: url
is also allowed syntax. Where the url must contain only scheme, [host,
and port].
So the following syntax is allowed:
Access-Control-Allow-Origin: http://example.com
It is somewhat unclear if the following syntaxes are allowed:
Access-Control-Allow-Origin: http://example.com/
Access-Control-Allow-Origin: http://example.com/?
Access-Control-Allow-Origin: http://example.com/#
Access-Control-Allow-Origin: http://example.com/;
I think the first one should be ok, but not the other three.
I think all of these should be disallowed.
My plan is to simply require Access-Control-Allow-Origin to hold the ASCII
serialization of an origin (see HTML5) and have a literal comparison of
that with the value of Origin. This would be quite strict, but should be
fine I think.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
