[cors] 7.2 seems to make * unusable from Benson Margulies on 2011-12-04 (public-webapps@w3.org from October to December 2011)

From: Benson Margulies <bimargulies@gmail.com>
Date: Sat, 3 Dec 2011 19:55:29 -0500
To: public-webapps@w3.org
Message-ID: <CALhtWkdUJZwPE-1YEaBEM9ye=fJS0CJ7HF45S6G+32fuAmLL4g@mail.gmail.com>

I suppose that I'm reading it wrong, but... in
http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#make-a-request-steps

7.2.2 says that if the response is "*" and credentials are off, we
fail. So, first question, is it really the intent to say that a
service can't just return * to permit any old origin? This also seems
to contradict 6.1.3, which says that * is only valid for
non-credential resources.

7.2.3 makes no allowance for *. It just says case-sensitive match for
the origin.

The net result is that the resource check fails for all cases when the
allow value is "*".

Received on Sunday, 4 December 2011 00:56:16 UTC