Anne van Kesteren wrote:
On Fri, 08 Aug 2008 20:44:04 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
The big worry I have though is if there is any possibility to puny
encode the same origin in multiple ways (other than with or without
default port). This could lead to different UAs encoding the same
origin in different ways, which could lead to interoperability issues
if sites rather than echoing the 'Origin' header always send out a
static value for the Access-Control-Allow-Origin header.
Is that possible? I don't think it is. Domain names follow a strict set
of normalization rules. (That would also mean the Origin header could
contain different values depending on the implementation, which is not
the case.)
The only thing that i _know_ of is that:
http://foo.com
and
http://foo.com:80
are the same origin but have different string representations. I have
also heard that some UAs are able to handle non-ascii characters in
header values by somehow specifying an encoding. I don't really know how
that works, but for those UAs the following to origins would be equivalent:
http://www.xn--jrnspikar-v2a.com
and
http://www.järnspikar.com
/ Jonas
