W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

CORS and wildcards.

From: Mike West <mkwst@google.com>
Date: Wed, 27 Mar 2013 17:59:57 +0100
Message-ID: <CAKXHy=f8csHOpp_VHApTgj5jxsRztF4nd6sN9XGg+Di6ByFOKA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
One of the conclusions of
http://www.veracode.com/blog/2013/03/security-headers-on-the-top-1000000-websites-march-2013-report/(which
is worth reading) is that developers often misuse
the 'Access-Control-Allow-Origin' header. At a glance, about 0.5% of the
sites that use the header send invalid values, mostly wildcarded like
'http://*.domain.com'.

Is there value in paving this cowpath?

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Wednesday, 27 March 2013 17:00:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC