W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

CORS Security Question

From: Ashar Javed <ashar.javed@tu-harburg.de>
Date: Fri, 01 Jul 2011 09:48:43 +0200
Message-ID: <20110701094843.13256dlvj7ekpt8o@webmail.tu-harburg.de>
To: "public-webapps@w3.org" <public-webapps@w3.org>
Cc: michael.hausenblas@deri.org
Hi,

If a server is returning (Access-Control-Allow-Origin: *) without  
setting the Origin header in HTTP request then can we say that server  
is not implementing CORS properly?

With the help of http://web-sniffer.net/, I randomly checked sites  
(home pages only) for CORS and nearly 200 sites are returning  
(Access-Control-Allow-Origin: *).

Cheers,

ashar
Received on Friday, 1 July 2011 08:33:46 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:46 GMT