Anne van Kesteren wrote:
On Fri, 08 Aug 2008 11:38:55 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
String comparison is not going to be ok either way. The following two origins are equivalent:

http://www.foo.com
http://www.foo.com:80

My proposal was to treat those as non-equivalent. Basically, to require Access-Control-Allow-Origin to have the same value as Origin.

The downside with doing that is that we can't use the same syntax for Access-Control as for postMessage. (Yes, I'm still intending to get postMessage fixed, haven't had time yet though).

Not sure how big the value is in that though...

/ Jonas

Reply via email to