W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: CORS Security Question

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 01 Jul 2011 10:41:00 +0200
To: "public-webapps@w3.org" <public-webapps@w3.org>, "Ashar Javed" <ashar.javed@tu-harburg.de>
Cc: michael.hausenblas@deri.org
Message-ID: <op.vxxmemqm64w2qv@anne-van-kesterens-macbook-pro.local>
On Fri, 01 Jul 2011 09:48:43 +0200, Ashar Javed  
<ashar.javed@tu-harburg.de> wrote:
> If a server is returning (Access-Control-Allow-Origin: *) without  
> setting the Origin header in HTTP request then can we say that server is  
> not implementing CORS properly?
>
> With the help of http://web-sniffer.net/, I randomly checked sites (home  
> pages only) for CORS and nearly 200 sites are returning  
> (Access-Control-Allow-Origin: *).

Doing that seems fine. The specification cannot really forbid that.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Friday, 1 July 2011 08:41:53 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:46 GMT