<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [whatwg] WebSocket websocket-origin
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:whatwg%40lists.whatwg.org?Subject=Re%3A%20%5Bwhatwg%5D%20WebSocket%20websocket-origin&In-Reply-To=%3C48E1B227.5020104%40arc.net.au%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="016358.html">
   <LINK REL="Next"  HREF="016366.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[whatwg] WebSocket websocket-origin</H1>
<!--htdig_noindex-->
    <B>Shannon</B> 
    <A HREF="mailto:whatwg%40lists.whatwg.org?Subject=Re%3A%20%5Bwhatwg%5D%20WebSocket%20websocket-origin&In-Reply-To=%3C48E1B227.5020104%40arc.net.au%3E"
       TITLE="[whatwg] WebSocket websocket-origin">shannon at arc.net.au
       </A><BR>
    <I>Mon Sep 29 21:59:19 PDT 2008</I>
    <P><UL>
        <LI>Previous message: <A HREF="016358.html">[whatwg] WebSocket websocket-origin
</A></li>
        <LI>Next message: <A HREF="016366.html">[whatwg] Canvas performance issue: setting colors
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#16377">[ date ]</a>
              <a href="thread.html#16377">[ thread ]</a>
              <a href="subject.html#16377">[ subject ]</a>
              <a href="author.html#16377">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--/htdig_noindex-->
<!--beginarticle-->
<PRE>Anne van Kesteren wrote:
&gt;<i> What is the reason for doing literal comparison on the 
</I>&gt;<i> websocket-origin and websocket-location HTTP headers? Access Control 
</I>&gt;<i> for Cross-Site Requests is currently following this design for 
</I>&gt;<i> access-control-allow-origin but sicking is complaining about so maybe 
</I>&gt;<i> it should be URL-without-&lt;path&gt; comparison instead. (E.g., then 
</I>&gt;<i> <A HREF="http://example.org">http://example.org</A> and <A HREF="http://example.org:80">http://example.org:80</A> would be equivalent.)
</I>&gt;<i>
</I>&gt;<i>
</I>I think the temptation to standardise features like access control 
defeats the point of websockets. Since things like access control and 
sessions can be readily implemented via CGI interfaces it seems implied 
that the whole point of websockets is to provide &quot;lightweight&quot; services. 
If the service actually needs something like this then the author can 
perform the check post-handshake using any method they feel like. I 
don't really feel strongly one way or the other about this particular 
header but I'm concerned about the slippery-slope of complicating the 
HTTP handshake to the point where you might as well be using CGI. Maybe 
the standard should simply recommend sending the header but make no 
requirement about how it is parsed. That way the service itself can 
decide whether the check is even necessary and if so whether it should 
be strict or loose or regex-based without the client automatically 
hanging up the connection.

Shannon

</PRE>

<!--endarticle-->
<!--htdig_noindex-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="016358.html">[whatwg] WebSocket websocket-origin
</A></li>
	<LI>Next message: <A HREF="016366.html">[whatwg] Canvas performance issue: setting colors
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#16377">[ date ]</a>
              <a href="thread.html#16377">[ thread ]</a>
              <a href="subject.html#16377">[ subject ]</a>
              <a href="author.html#16377">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="http://lists.whatwg.org/listinfo.cgi/whatwg-whatwg.org">More information about the whatwg
mailing list</a><br>
<!--/htdig_noindex-->
</body></html>