The Access-Control-Origin header includes the port of the origin of the request, even if the port is the default for the origin's scheme:
http://www.w3.org/TR/access-control/#access-control-origin The HTML 5 specification for postMessage does not include the port in the MessageEvent's origin field if the port is the default for the origin's scheme. http://www.whatwg.org/specs/web-apps/current-work/#origin Would it make sense to change Access-Control-Origin to match postMessage?
