W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

[cors] 7.2 seems to make * unusable

From: Benson Margulies <bimargulies@gmail.com>
Date: Sat, 3 Dec 2011 19:55:29 -0500
Message-ID: <CALhtWkdUJZwPE-1YEaBEM9ye=fJS0CJ7HF45S6G+32fuAmLL4g@mail.gmail.com>
To: public-webapps@w3.org
I suppose that I'm reading it wrong, but... in
http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#make-a-request-steps

7.2.2 says that if the response is "*" and credentials are off, we
fail. So, first question, is it really the intent to say that a
service can't just return * to permit any old origin? This also seems
to contradict 6.1.3, which says that * is only valid for
non-credential resources.

7.2.3 makes no allowance for *. It just says case-sensitive match for
the origin.

The net result is that the resource check fails for all cases when the
allow value is "*".
Received on Sunday, 4 December 2011 00:56:16 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:49 GMT