- From: Reto Gmür <me@farewellutopia.com>
- Date: Thu, 30 Jun 2016 13:00:01 +0200
- To: Brad Hill <hillbrad@gmail.com>, public-webappsec@w3.org
- Message-Id: <1467284401.3287300.652964577.040FC47F@webmail.messagingengine.com>
Thanks for the link, Brad. I read "An anonymous request can be made by setting the withCredentials flag on an XMLHttpRequest to `false`, which causes the browser to omit the Origin and Cookie headers in the request". If I could prevent the browser from sending an Origin header this would cause the server to return "*" as value of the Access-Control-Allow-Origin-Header. However both firefox and chromium sent the Origin header even when withCredentials is set to false. Cheers, Reto On Tue, 28 Jun 2016, at 18:55, Brad Hill wrote: > If you'd like to comment, I've taken a stab at writing a "CORS for > Developers" doc we might publish as a Working Group note to try to > clarify some of this: > > https://docs.google.com/document/d/1AtxTDw-g9BSRW9n9kGTTqNkDTGcVfSKPAOjVGkPFu2k/edit#heading=h.gbk9567omrcz > > On Tue, Jun 28, 2016 at 1:23 AM Reto Gmür > <me@farewellutopia.com> wrote: >> On Mon, 27 Jun 2016, at 19:04, Daniel Veditz wrote: >>> On Mon, Jun 27, 2016 at 5:45 AM, Reto Gmür <me@farewellutopia.com> >>> wrote: >>>> It seems that the browser is caching some inferred >>>> Access-Control-Allow-Origin-Header and then complaining that >>>> the new >>>> host doesn't match. Note that the server actually return "*" as >>>> value of >>>> the header. >>> >>> When I tried it didn't return "*", it reflected the requesting host. >>> This _does_ cause caching issues, and the CORS spec says that if a >>> site does NOT return "*" it should include Origin in it's Vary >>> header to prevent incorrect caching. >>> >>> 6.4 Implementation Considerations >>> https://www.w3.org/TR/cors/#resource-implementation >>> >>> Resources that wish to enable themselves to be shared with multiple >>> Origins but do not respond uniformly with "*" must in practice >>> generate the Access-Control-Allow-Origin header dynamically in >>> response to every request they wish to allow. As a consequence, >>> authors of such resources should send a Vary: Origin HTTP header or >>> provide other appropriate control directives to prevent caching of >>> such responses, which may be inaccurate if re-used across-origins. >>> Since I can't imagine the w3 site wants to return different cards >>> for TBL depending on who is asking it really ought to be using Access-Control-Allow- >>> Origin: * rather than reflecting the requesting origin. Blindly >>> reflecting the origin is almost never a good idea -- that usually >>> means either the origin doesn't matter (use "*" instead) or you may >>> be over-sharing data. >> >> Thanks Daniel! When I tried with cURL I never sent an "Origin"-header >> and so the server replied with "Access-Control-Allow-Origin: *". >> >> I must say, it doesn't make me very confident that soon more sites >> will be supporting CORS if not even the W3C manages to configure its >> server right. >> >> Cheers, >> Reto >>
Received on Thursday, 30 June 2016 11:00:25 UTC