W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [cors] Subdomains

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 25 Jul 2010 21:05:17 +0000
Message-ID: <AANLkTi=WvQ9aJZc0HR4zN2ur=LhjEWG6OvupC6CL2_-y@mail.gmail.com>
To: "Tab Atkins Jr." <jackalmage@gmail.com>
Cc: Christoph Päper <christoph.paeper@crissov.de>, public-webapps@w3.org
On Sun, Jul 25, 2010 at 8:55 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> On Sun, Jul 25, 2010 at 5:25 AM, Christoph Päper
> <christoph.paeper@crissov.de> wrote:
>> Maybe I’m missing something, but shouldn’t it be easy to use certain groups of origins in ‘Access-Control-Allow-Origin’, e.g. make either the scheme, the host or the port part irrelevant or only match certain subparts of the host part?
>>
>> Consider Wikipedia/Wikimedia as an example. If all 200-odd Wikipedias (*.wikiPedia.org) but no other site should be able to access certain resources from the common repository at commons.wikiMedia.org, wouldn’t everybody expect
>>
>>  Access-Control-Allow-Origin: http://*.wikipedia.org
>>
>> to just work? Is the Commons server instead expected to parse the Origin header and dynamically set ACAO accordingly?
>
> This one might work, but:
>
>> Likewise transnational corporations might want something like
>>
>>  Access-Control-Allow-Origin: http://example.*, http://example.co.*
>>
>> although they cannot guarantee that they possess the second or third level domain name under all top level domains.
>
> This one won't, because it'll match "example.co.evilsite.com".

It's very rare for a transnational to actually own all instances of
its name in every TLD.  That would make every new TLD an opportunity
to attack the transnational...  Bad times.

Adam
Received on Sunday, 25 July 2010 21:06:08 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT