- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 27 Jun 2016 10:04:07 -0700
- To: Reto Gmür <me@farewellutopia.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CADYDTCD3g0g4T4=FTobOr_W_A03Pq0XdwoWRyh7UTvLap1=rAg@mail.gmail.com>
On Mon, Jun 27, 2016 at 5:45 AM, Reto Gmür <me@farewellutopia.com> wrote: > It seems that the browser is caching some inferred > Access-Control-Allow-Origin-Header and then complaining that the new > host doesn't match. Note that the server actually return "*" as value of > the header. > When I tried it didn't return "*", it reflected the requesting host. This _does_ cause caching issues, and the CORS spec says that if a site does NOT return "*" it should include Origin in it's Vary header to prevent incorrect caching. 6.4 Implementation Considerations https://www.w3.org/TR/cors/#resource-implementation Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow. As a consequence, authors of such resources should send a Vary: Origin HTTP header or provide other appropriate control directives to prevent caching of such responses, which may be inaccurate if re-used across-origins. Since I can't imagine the w3 site wants to return different cards for TBL depending on who is asking it really ought to be using Access-Control-Allow-Origin: * rather than reflecting the requesting origin. Blindly reflecting the origin is almost never a good idea -- that usually means either the origin doesn't matter (use "*" instead) or you may be over-sharing data. -Dan Veditz
Received on Monday, 27 June 2016 17:04:36 UTC