W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CORS and wildcards.

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 27 Mar 2013 20:41:36 +0100
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <6oh6l8pkudqamdur50ijpb9sraht6v62ab@hive.bjoern.hoehrmann.de>
* Mike West wrote:
>One of the conclusions of
>http://www.veracode.com/blog/2013/03/security-headers-on-the-top-1000000-websites-march-2013-report/(which
>is worth reading) is that developers often misuse
>the 'Access-Control-Allow-Origin' header. At a glance, about 0.5% of the
>sites that use the header send invalid values, mostly wildcarded like
>'http://*.domain.com'.
>
>Is there value in paving this cowpath?

As I recall it, there was considerable opposition against supporting
such wildcard syntax, and now it's too late to add it to that header.
For all we know such headers are the result of some misconfiguration
where someone tried to name a particular subdomain `*` rather than
intending any wildcard matching semantics for the whole domain and
second-guessing the author's intent would leave users vulnerable.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 27 March 2013 19:42:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC