- From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
- Date: Mon, 27 Sep 2010 16:02:22 +0300
- To: Anne van Kesteren <annevk@opera.com>
- Cc: public-webapps <public-webapps@w3.org>
>> Multiple origin URLs in "Origin" and "Access-Control-Allow-Origin" >> must be space-separated, correct? > > Yes. > > >> I'd like to double-check this as the Mozilla docs says >> comma-separated, and they seem to be in error: >> >> https://developer.mozilla.org/En/HTTP_access_control#section_3 >> >> "...The Access-Control-Allow-Origin header should contain a comma >> separated list of acceptable domains..." > > This seems entirely incorrect as the Access-Control-Allow-Origin must match > the Origin header exactly, octet for octet. Thanks, Anne. I suspect they got confused by the other CORS headers that are comma separated. I also nearly fell into this trap, but thank god, the draft-abarth-origin-07 was still fresh in my head. I suppose it might be helpful to add an example with multiple origin URLs at the bottom to minimise the risk of misunderstanding. Also, it could somewhat help if the contents of sections 5.1.2 and 5.2.2 were made identical. -- Vladimir Dzhuvinov :: software.dzhuvinov.com
Received on Monday, 27 September 2010 13:02:59 UTC