W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: CORS Security Question

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 1 Jul 2011 02:21:42 -0700
Message-ID: <BANLkTikO6sLC_5aWv1Nmgja3m0aWAuiKRA@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: "public-webapps@w3.org" <public-webapps@w3.org>, Ashar Javed <ashar.javed@tu-harburg.de>, michael.hausenblas@deri.org
On Fri, Jul 1, 2011 at 1:41 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Fri, 01 Jul 2011 09:48:43 +0200, Ashar Javed <ashar.javed@tu-harburg.de>
> wrote:
>>
>> If a server is returning (Access-Control-Allow-Origin: *) without setting
>> the Origin header in HTTP request then can we say that server is not
>> implementing CORS properly?
>>
>> With the help of http://web-sniffer.net/, I randomly checked sites (home
>> pages only) for CORS and nearly 200 sites are returning
>> (Access-Control-Allow-Origin: *).
>
> Doing that seems fine. The specification cannot really forbid that.

This should be allowed for sure. Sending a "*" value for the
"Access-Control-Allow-Origin" header is completely safe for servers
attached to the public internet. If a site feels that it has content
that could be of interest to others, it should feel free to add that
header on all its responses, without the complexity of checking if a
"Origin" header was present in the request.

/ Jonas
Received on Friday, 1 July 2011 09:22:42 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:46 GMT