Anne van Kesteren wrote:
On Wed, 30 Jul 2008 18:19:20 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
Please note that
Access-Control-Allow-Origin: url
is also allowed syntax. Where the url must contain only scheme, [host,
and port].
So the following syntax is allowed:
Access-Control-Allow-Origin: http://example.com
It is somewhat unclear if the following syntaxes are allowed:
Access-Control-Allow-Origin: http://example.com/
Access-Control-Allow-Origin: http://example.com/?
Access-Control-Allow-Origin: http://example.com/#
Access-Control-Allow-Origin: http://example.com/;
I think the first one should be ok, but not the other three.
I think all of these should be disallowed.
My plan is to simply require Access-Control-Allow-Origin to hold the
ASCII serialization of an origin (see HTML5) and have a literal
comparison of that with the value of Origin. This would be quite strict,
but should be fine I think.
That is fine, though I'm inclined to think that the trailing slash
should be allowed in the HTML5 syntax for an origin.
/ Jonas