For Bug 592431, I'm trying to build a snippet server to which about:home will send requests using XMLHttpRequest to an external server (eg. http://snippets.mozilla.com/). Requests fail when I issued this header in a response: Access-Control-Allow-Origin: about:home Requests succeed when I change the header to this instead: Access-Control-Allow-Origin: * We'd like this to be less specific, though. Is this expected behavior?

Just for fun, can you try these header values? moz-safe-about:home chrome://browser/content/aboutHome.xhtml

Per spec, the origin of about:home is a nonce origin, and attempting to convert it to a string produces the string "null". So (again, per spec), there is no way to match the origin of about:home. Now maybe we should be giving about:home a different origin...

Boris/Gavin - this bug blocks the snippet service bug: https://bugzilla.mozilla.org/show_bug.cgi?id=592431 which we're trying to get into Fxb 12 - code freeze this Friday. Is this still a blocker? If so what are next steps?

FWIW, I don't think this is a blocker as far as security review is concerned: https://bugzilla.mozilla.org/show_bug.cgi?id=592431#c40 At least, not yet, and maybe not in the future since snippets will be behind SSL

> Is this still a blocker? It's not a Gecko blocker at the moment, no. Again, about:home is using a nonce origin. So the behavior observed is correct, given that premise. The Access-Control-Allow-Origin stuff is really not designed to work with non-authority schemes like about:.....

Closing as INVALID given lack of interest.