W3C home > Mailing lists > Public > www-archive@w3.org > November 2012

Bug in enable-cors.org

From: Simon Pieters <simonp@opera.com>
Date: Fri, 09 Nov 2012 15:11:16 +0100
To: michael.hausenblas@gmail.com
Cc: "www-archive@w3.org" <www-archive@w3.org>
Message-ID: <op.wnie02g2idj3kv@simons-macbook-pro-2.local>

http://enable-cors.org/ says

Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com

The asterisk permits scripts hosted on any site to load your resources;  
the space-delimited lists limits access to scripts hosted on the listed  

http://fetch.spec.whatwg.org/#resource-sharing-check says

If the value of Access-Control-Allow-Origin is not a case-sensitive match  
for the value of the Origin header as defined by its specification, return  
fail and terminate this algorithm.

i.e. space separated values will fail.

Please update enable-cors.org to say only one origin can be specified.

Also, an origin has to be specified (rather than using "*") if one wants  
to use cookies, which does not appear to be discussed.

Simon Pieters
Opera Software
Received on Friday, 9 November 2012 14:11:44 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:44:14 UTC