CORS Security Question

Hi,

If a server is returning (Access-Control-Allow-Origin: *) without  
setting the Origin header in HTTP request then can we say that server  
is not implementing CORS properly?

With the help of http://web-sniffer.net/, I randomly checked sites  
(home pages only) for CORS and nearly 200 sites are returning  
(Access-Control-Allow-Origin: *).

Cheers,

ashar

Received on Friday, 1 July 2011 08:33:46 UTC