Update Origin header processing to latest CORS spec

Create issue
Issue #1 resolved
Vladimir Dzhuvinov created an issue

Apparently the Origin header no longer permits multiple origin values.

See http://dvcs.w3.org/hg/cors/rev/5a33e330c9b3

Check with browser implementations if any of them still use Origin lists.

Comments (3)

  1. Vladimir Dzhuvinov reporter

    From: Anne van Kesteren annevk@annevk.nl To: vladimir@dzhuvinov.com Subject: Re: Safe to remove multiple CORS Origin header support? Date: Fri, 19 Oct 2012 10:44:43 +0200 (10/19/2012 11:44:43 AM)

    On Fri, Oct 19, 2012 at 9:51 AM, vladimir@dzhuvinov.com wrote:

    I was reading the latest CORS spec and found out that the Origin header has become single-valued. From my coding perspective this seems to simplify things. I'm thinking of updating the library to match this change, but I want to make sure that's not going to break compatibility with some existing browsers. Do you know of any browser implementations out there that may be relying on the old Origin header definition?

    I don't think so. You'd only get space-separated values in a redirect scenario and I don't think anyone implemented that. Now you'll get "null" in a redirect scenario which should be safer too (as it requires you to do authentication via tokens rather than stack inspection).

    -- http://annevankesteren.nl/

  2. Log in to comment