[whatwg] "null" versus "" in origin serialization

Adam Barth whatwg at adambarth.com
Tue Oct 14 01:05:06 PDT 2008

Section 5.3 defines the serialization of an origin that is not a
scheme/host/port triple as the empty string.  This serialization (in
its ASCII variation) is used by the Access Control for Cross-Site
Requests spec to serialize an origin to an HTTP header.  Using the
empty string to represent these origins asks server operators to
distinguish requests with an empty Origin header from requests without
an Origin header.  Server operators will often wish to take
drastically different actions based on these requests, but this
difference can be tricky to distinguish in some languages, such as
mod_security and PHP.

We should change the serialization of these origins to the string
literal "null" as they were serialized in a previous draft of the
Access Control spec.  This would have the effect of changing the
origin property of message events generated by postMessage(), but this
change is unlikely to break users of that API as the empty string case
is quite unusual.


More information about the whatwg mailing list