Jonas Sicking wrote:
Anne van Kesteren wrote:
On Fri, 08 Aug 2008 11:38:55 +0200, Jonas Sicking <[EMAIL PROTECTED]>
wrote:
String comparison is not going to be ok either way. The following two
origins are equivalent:
http://www.foo.com
http://www.foo.com:80
My proposal was to treat those as non-equivalent. Basically, to
require Access-Control-Allow-Origin to have the same value as Origin.
The downside with doing that is that we can't use the same syntax for
Access-Control as for postMessage. (Yes, I'm still intending to get
postMessage fixed, haven't had time yet though).
Not sure how big the value is in that though...
The big worry I have though is if there is any possibility to puny
encode the same origin in multiple ways (other than with or without
default port). This could lead to different UAs encoding the same origin
in different ways, which could lead to interoperability issues if sites
rather than echoing the 'Origin' header always send out a static value
for the Access-Control-Allow-Origin header.
In general, I don't think it's a lot of work to require a strict
same-origin check. All browsers should have such an algorithm
implemented anyway.
/ Jonas