Anne van Kesteren wrote:
On Fri, 08 Aug 2008 11:38:55 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
String comparison is not going to be ok either way. The following two
origins are equivalent:
http://www.foo.com
http://www.foo.com:80
My proposal was to treat those as non-equivalent. Basically, to require
Access-Control-Allow-Origin to have the same value as Origin.
The downside with doing that is that we can't use the same syntax for
Access-Control as for postMessage. (Yes, I'm still intending to get
postMessage fixed, haven't had time yet though).
Not sure how big the value is in that though...
/ Jonas