On Thu, 09 Oct 2008 03:05:20 +0200, Adam Barth <[EMAIL PROTECTED]> wrote:
In some cases, XHR+AC will send an Origin header whose value is the empty string. This asks server operators to distinguish between a request that lacks an Origin header (like a same-site request) and a request with an empty Origin header (say from a data URL), which might be tricky in various languages like mod_security. Also, some proxies might normalize empty headers away if they represent the non-existence of a header with the empty string (as, for example, XMLHttpRequest does).
Actually, XMLHttpRequest distinguishes between the two. (Empty string versus null, though not all browsers have implemented that feature yet.)
A previous version of the spec sent the literal string "null" in these cases. It seems like this behavior is preferable. If we want to have the same behavior as postMessage, we might be able to change its origin property to use the string "null" in these cases too.
If HTML5 were to change Access Control would also automatically change. However, browsers are already deploying this. Then again, I haven't actually tested if any browser does Origin correctly yet.
-- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>