W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [cors] Subdomains

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Sun, 25 Jul 2010 13:55:23 -0700
Message-ID: <AANLkTikwj5tTwV0uuyOGXMTeXAoXU=6XMRyXLp4TYXQy@mail.gmail.com>
To: Christoph Päper <christoph.paeper@crissov.de>
Cc: public-webapps@w3.org
On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper
<christoph.paeper@crissov.de> wrote:
> Maybe I’m missing something, but shouldn’t it be easy to use certain groups of origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, the host or the port part irrelevant or only match certain subparts of the host part?
>
> Consider Wikipedia/Wikimedia as an example. If all 200-odd Wikipedias (*.wikiPedia.org) but no other site should be able to access certain resources from the common repository at commons.wikiMedia.org, wouldn’t everybody expect
>
>  Access-Control-Allow-Origin: http://*.wikipedia.org
>
> to just work? Is the Commons server instead expected to parse the Origin header and dynamically set ACAO accordingly?

This one might work, but:

> Likewise transnational corporations might want something like
>
>  Access-Control-Allow-Origin: http://example.*, http://example.co.*
>
> although they cannot guarantee that they possess the second or third level domain name under all top level domains.

This one won't, because it'll match "example.co.evilsite.com".

~TJ
Received on Sunday, 25 July 2010 20:56:17 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT