Re: [access-control] from Anne van Kesteren on 2014-03-16 (public-webapps@w3.org from January to March 2014)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sun, 16 Mar 2014 05:26:19 +0000
To: Akash Jain <akash.delhite@gmail.com>
Cc: WebApps WG <public-webapps@w3.org>
Message-ID: <CADnb78hsKG6OWC-rCn5jTb=Av_oYvKOuOq_N5eBTJFeBr+CSfA@mail.gmail.com>

On Sat, Mar 8, 2014 at 7:46 AM, Akash Jain <akash.delhite@gmail.com> wrote:
> Should Access-Control-Allow-Origin need to be domain specific ?
>
> Infosec has recommended us to use this header :
>
> Access-Control-Allow-Origin:http://domainA.mycompany.com,http//*.mycompany.com

That would never work.


> But I also own domain : http://domainB.mycompany.com
>
> So, if i just use
>
> Access-Control-Allow-Origin:http://*.mycompany.com
>
> Will this be enough ? or it needs to be domain specific ?

No, you cannot use wildcards. See http://fetch.spec.whatwg.org/ for details.


-- 
http://annevankesteren.nl/

Received on Sunday, 16 March 2014 05:26:49 UTC