[cors] 7.2 seems to make * unusable

From: Benson Margulies <bimargulies@gmail.com> Date: Sat, 3 Dec 2011 19:55:29 -0500 Message-ID: <CALhtWkdUJZwPE-1YEaBEM9ye=fJS0CJ7HF45S6G+32fuAmLL4g@mail.gmail.com> To: public-webapps@w3.org · This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:49 GMT

I suppose that I'm reading it wrong, but... in
http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#make-a-request-steps

7.2.2 says that if the response is "*" and credentials are off, we
fail. So, first question, is it really the intent to say that a
service can't just return * to permit any old origin? This also seems
to contradict 6.1.3, which says that * is only valid for
non-credential resources.

7.2.3 makes no allowance for *. It just says case-sensitive match for
the origin.

The net result is that the resource check fails for all cases when the
allow value is "*".