W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

[Bug 19920] New: Don't allow space-separated origins in the syntax

From: <bugzilla@jessica.w3.org>
Date: Fri, 09 Nov 2012 14:32:15 +0000
To: public-webappsec@w3.org
Message-ID: <bug-19920-4874@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=19920

          Priority: P2
            Bug ID: 19920
                CC: mike@w3.org, public-webappsec@w3.org
          Assignee: annevk@annevk.nl
           Summary: Don't allow space-separated origins in the syntax
        QA Contact: dave.null@w3.org
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: simonp@opera.com
          Hardware: PC
            Status: NEW
           Version: unspecified
         Component: CORS
           Product: WebAppsSec

http://fetch.spec.whatwg.org/#access-control-allow-origin-response-header says

Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":"
origin-list-or-null | "*"

Since http://fetch.spec.whatwg.org/#resource-sharing-check fails when more than
one origin are specified, I think the syntax should be changed to only allow
one origin. Apparently the Origin header should get the same treatment.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Friday, 9 November 2012 14:32:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 9 November 2012 14:32:17 GMT