Anne van Kesteren wrote:
On Wed, 30 Jul 2008 18:19:20 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
Please note that
Access-Control-Allow-Origin: url
is also allowed syntax. Where the url must contain only scheme, [host,
and port].
So the following syntax is allowed:
Access-Control-Allow-Origin: http://example.com
It is somewhat unclear if the following syntaxes are allowed:
Access-Control-Allow-Origin: http://example.com/
Access-Control-Allow-Origin: http://example.com/?
Access-Control-Allow-Origin: http://example.com/#
Access-Control-Allow-Origin: http://example.com/;
I think the first one should be ok, but not the other three.
I think all of these should be disallowed.
My plan is to simply require Access-Control-Allow-Origin to hold the
ASCII serialization of an origin (see HTML5) and have a literal
comparison of that with the value of Origin. This would be quite strict,
but should be fine I think.
Opps, sorry, should have commented here instead.
String comparisons are not going to work either way. The following two
origins are equivalent:
http://example.com:80
http://example.com
I also suspect there are ways of using puny code to encode strict ascii
host names which would result in a same origin check returning true even
when string checks wouldn't, I'm less sure about that though.
/ Jonas
