On Fri, 08 Aug 2008 20:44:04 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
The big worry I have though is if there is any possibility to puny encode the same origin in multiple ways (other than with or without default port). This could lead to different UAs encoding the same origin in different ways, which could lead to interoperability issues if sites rather than echoing the 'Origin' header always send out a static value for the Access-Control-Allow-Origin header.
Is that possible? I don't think it is. Domain names follow a strict set of normalization rules. (That would also mean the Origin header could contain different values depending on the implementation, which is not the case.)
In general, I don't think it's a lot of work to require a strict same-origin check. All browsers should have such an algorithm implemented anyway.
True, but if we can make things simpler that seems better. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
