[whatwg] "null" versus "" in origin serialization

Ian Hickson ian at hixie.ch
Mon Oct 20 08:13:22 PDT 2008

On Tue, 14 Oct 2008, Adam Barth wrote:
> Section 5.3 defines the serialization of an origin that is not a 
> scheme/host/port triple as the empty string.  This serialization (in its 
> ASCII variation) is used by the Access Control for Cross-Site Requests 
> spec to serialize an origin to an HTTP header.  Using the empty string 
> to represent these origins asks server operators to distinguish requests 
> with an empty Origin header from requests without an Origin header.  
> Server operators will often wish to take drastically different actions 
> based on these requests, but this difference can be tricky to 
> distinguish in some languages, such as mod_security and PHP.
> We should change the serialization of these origins to the string 
> literal "null" as they were serialized in a previous draft of the Access 
> Control spec.  This would have the effect of changing the origin 
> property of message events generated by postMessage(), but this change 
> is unlikely to break users of that API as the empty string case is quite 
> unusual.


Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list