<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [whatwg] WebSocket websocket-origin
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:whatwg%40lists.whatwg.org?Subject=Re%3A%20%5Bwhatwg%5D%20WebSocket%20websocket-origin&In-Reply-To=%3Cop.uilqdmnv64w2qv%40annevk-t60.oslo.opera.com%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="016537.html">
   <LINK REL="Next"  HREF="016551.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[whatwg] WebSocket websocket-origin</H1>
<!--htdig_noindex-->
    <B>Anne van Kesteren</B> 
    <A HREF="mailto:whatwg%40lists.whatwg.org?Subject=Re%3A%20%5Bwhatwg%5D%20WebSocket%20websocket-origin&In-Reply-To=%3Cop.uilqdmnv64w2qv%40annevk-t60.oslo.opera.com%3E"
       TITLE="[whatwg] WebSocket websocket-origin">annevk at opera.com
       </A><BR>
    <I>Mon Oct  6 05:02:00 PDT 2008</I>
    <P><UL>
        <LI>Previous message: <A HREF="016537.html">[whatwg] Placeholder option for text input boxes
</A></li>
        <LI>Next message: <A HREF="016551.html">[whatwg] Some media element details
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#16550">[ date ]</a>
              <a href="thread.html#16550">[ thread ]</a>
              <a href="subject.html#16550">[ subject ]</a>
              <a href="author.html#16550">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--/htdig_noindex-->
<!--beginarticle-->
<PRE>On Mon, 29 Sep 2008 20:41:23 +0200, Anne van Kesteren &lt;<A HREF="http://lists.whatwg.org/listinfo.cgi/whatwg-whatwg.org">annevk at opera.com</A>&gt;  
wrote:
&gt;<i> What is the reason for doing literal comparison on the websocket-origin  
</I>&gt;<i> and websocket-location HTTP headers? Access Control for Cross-Site  
</I>&gt;<i> Requests is currently following this design for  
</I>&gt;<i> access-control-allow-origin but sicking is complaining about so maybe it  
</I>&gt;<i> should be URL-without-&lt;path&gt; comparison instead. (E.g., then  
</I>&gt;<i> <A HREF="http://example.org">http://example.org</A> and <A HREF="http://example.org:80">http://example.org:80</A> would be equivalent.)
</I>
For those not following IRC,  
<A HREF="http://krijnhoetmer.nl/irc-logs/whatwg/20081003#l-5">http://krijnhoetmer.nl/irc-logs/whatwg/20081003#l-5</A> has more discussion on  
this subject. It seems like literal comparison is what I'll keep doing for  
access-control-allow-origin for now.

(If we decide it should be a same origin check that fails if &lt;path&gt; is  
provided at some later point we can always change it I think as that would  
be a superset of the current algorithm.)


-- 
Anne van Kesteren
&lt;<A HREF="http://annevankesteren.nl/">http://annevankesteren.nl/</A>&gt;
&lt;<A HREF="http://www.opera.com/">http://www.opera.com/</A>&gt;

</PRE>

<!--endarticle-->
<!--htdig_noindex-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="016537.html">[whatwg] Placeholder option for text input boxes
</A></li>
	<LI>Next message: <A HREF="016551.html">[whatwg] Some media element details
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#16550">[ date ]</a>
              <a href="thread.html#16550">[ thread ]</a>
              <a href="subject.html#16550">[ subject ]</a>
              <a href="author.html#16550">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="http://lists.whatwg.org/listinfo.cgi/whatwg-whatwg.org">More information about the whatwg
mailing list</a><br>
<!--/htdig_noindex-->
</body></html>