Re: Change JSONRequest Domain header to Origin header
- On Sat, May 24, 2008 at 2:46 PM, Douglas Crockford
> On Sat, May 24, 2008 at 2:37 PM, Collin Jackson <collin@...> wrote:Here is a version that doesn't reference any specs. Alternatively, you
> > Can we change the name of JSONRequest's Domain header to also be
> > Origin and have its behavior match XHR2 and postMessage? This will
> > allow servers to enforce security policies based on scheme and port
> > .
> > Yes. Send me the formal text and I will update the doc.
could reference either the HTML 5 specification
or the Access-Control specification
The <code>Origin</code> is the serialization of the security origin of
the page from which the request is issued. It can be used by the
server when deciding to allow the request. It is the scheme followed
by <code>://</code>, followed by the original
<code>document.domain</code> without any trailing U+002E (.), if any,
where each part of the domain has had the IDNA ToASCII algorithm
applied. Then, if port is not the default port for the scheme, follow
it by <code>:</code> and the port. If the source of the request does
not have a host-based authority, the access control origin is the
literal string "null" (without the quotation marks).